From marc at merlins.org Sat Nov 16 01:21:07 2002 From: marc at merlins.org (Marc MERLIN) Date: Fri, 15 Nov 2002 17:21:07 -0800 Subject: [SA-exim] sa-exim 2.2 feedback? Message-ID: <20021116012107.GB23139@merlins.org> I'm curious how many people are using sa-exim 2.2 vs the ones that just got whichever version worked for them back then and stuck with it :-) I'm getting pretty good results with teergrubing and enjoy reading my logs to see how much I held up spammers on a daily basis. I'm actually surprised by how many spams score 25 or more and generate a teergrube. How about you guys, any good bad experiences with this? (I've had a few pileups but those were due to SA hanging and not honoring the timeouts it was supposed to set) Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From sana at cchsa.ca Mon Nov 18 14:05:49 2002 From: sana at cchsa.ca (Ariel Sandberg) Date: Mon, 18 Nov 2002 09:05:49 -0500 Subject: [SA-exim] sa-exim 2.2 feedback? Message-ID: <8A50AF98713A694492CE770792853432048C8F@CCHSA5.int.cchsa.ca> Well I've been using sa-exim for about 1 week. I have no experience with any of the other versions but here are my experiences: I started with a very aggressive score of 5.6, This was stopping a lot of crap but unfortunately it did stop some valid emails that were generated by Air canada's ticket reciept/Itenery Generator as well as some other emails, so I raised the score to 8. I'm still stopping a lot of crap though! Although some crap has scored under. I was thinking about teergrubbing but I was not sure about what sort of performance it would cost our mail hub? I imagine none since it would be doing nothing but stalling, but was not sure. I'm extremely pleased with the results though. Thanx for all your work Marc. Cheers, Ariel > -----Original Message----- > From: Marc MERLIN [mailto:marc@merlins.org] > Sent: Friday, November 15, 2002 8:21 PM > To: sa-exim@lists.merlins.org > Subject: [SA-exim] sa-exim 2.2 feedback? > > > I'm curious how many people are using sa-exim 2.2 vs the ones > that just > got whichever version worked for them back then and stuck with it :-) > > I'm getting pretty good results with teergrubing and enjoy > reading my > logs to see how much I held up spammers on a daily basis. > I'm actually > surprised by how many spams score 25 or more and generate a teergrube. > > How about you guys, any good bad experiences with this? > (I've had a few pileups but those were due to SA > hanging and not > honoring the timeouts it was supposed to set) > > Marc > -- > "A mouse is a device used to point at the xterm you want to > type in" - A.S.R. > Microsoft is to operating systems & security .... > .... what McDonalds is > to gourmet cooking > Home page: http://marc.merlins.org/ | Finger > marc_f@merlins.org for PGP key > > _______________________________________________ > SA-Exim mailing list > SA-Exim@lists.merlins.org > http://lists.merlins.org/lists/listinfo/sa-exim > From marc at merlins.org Mon Nov 18 15:59:34 2002 From: marc at merlins.org (Marc MERLIN) Date: Mon, 18 Nov 2002 07:59:34 -0800 Subject: [SA-exim] sa-exim 2.2 feedback? In-Reply-To: <8A50AF98713A694492CE770792853432048C8F@CCHSA5.int.cchsa.ca> References: <8A50AF98713A694492CE770792853432048C8F@CCHSA5.int.cchsa.ca> Message-ID: <20021118155934.GI13562@merlins.org> On Mon, Nov 18, 2002 at 09:05:49AM -0500, Ariel Sandberg wrote: > Well I've been using sa-exim for about 1 week. I have no experience with > any of the other versions but here are my experiences: > > I started with a very aggressive score of 5.6, This was stopping a lot of > crap but unfortunately it did stop some valid emails that were generated by > Air canada's ticket reciept/Itenery Generator as well as some other emails, > so I raised the score to 8. I'm still stopping a lot of crap though! I think both are too agressive, unless you're not using RBLs at all. I issue a tempreject at 10, a permreject at 12, and I teergrube at 25. I still receive a spam here and there, but very little overall. > I was thinking about teergrubbing but I was not sure about what sort of > performance it would cost our mail hub? I imagine none since it would be > doing nothing but stalling, but was not sure. You're not going to use up CPU, but it will use up a your RAM for a little longer and it will use up a process slot and a few sockets for a little longer too. In other words, unless you have an extremely loaded mail server, you shouldn't notice the slight extra load. > I'm extremely pleased with the results though. Glad that it works ok for you. Cheers, Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From sana at cchsa.ca Tue Nov 19 20:59:17 2002 From: sana at cchsa.ca (Ariel Sandberg) Date: Tue, 19 Nov 2002 15:59:17 -0500 Subject: [SA-exim] sa-exim 2.2 feedback? Message-ID: <8A50AF98713A694492CE770792853432048C9E@CCHSA5.int.cchsa.ca> > I think both are too agressive, unless you're not using RBLs at all. > I issue a tempreject at 10, a permreject at 12, and I teergrube at 25. Can you tell me what exactly tempreject does? I was reading through the documented config file but am a little uncertain when and why I would need it? I took your suggestion and raised the permreject. TY Ariel > > I still receive a spam here and there, but very little overall. > > > I was thinking about teergrubbing but I was not sure about > what sort of > > performance it would cost our mail hub? I imagine none > since it would be > > doing nothing but stalling, but was not sure. > > You're not going to use up CPU, but it will use up a your > RAM for a little > longer and it will use up a process slot and a few > sockets for a little > longer too. > In other words, unless you have an extremely loaded > mail server, you > shouldn't notice the slight extra load. > > > I'm extremely pleased with the results though. > > Glad that it works ok for you. > > Cheers, > Marc > -- > "A mouse is a device used to point at the xterm you want to > type in" - A.S.R. > Microsoft is to operating systems & security .... > .... what McDonalds is > to gourmet cooking > Home page: http://marc.merlins.org/ | Finger > marc_f@merlins.org for PGP key > From marc at merlins.org Tue Nov 19 21:05:30 2002 From: marc at merlins.org (Marc MERLIN) Date: Tue, 19 Nov 2002 13:05:30 -0800 Subject: [SA-exim] sa-exim 2.2 feedback? In-Reply-To: <8A50AF98713A694492CE770792853432048C9E@CCHSA5.int.cchsa.ca> References: <8A50AF98713A694492CE770792853432048C9E@CCHSA5.int.cchsa.ca> Message-ID: <20021119210530.GY8079@merlins.org> On Tue, Nov 19, 2002 at 03:59:17PM -0500, Ariel Sandberg wrote: > Can you tell me what exactly tempreject does? I was reading through the > documented config file but am a little uncertain when and why I would need > it? tempreject tells the remote mail server that you are temporarily not accepting their Email. Almost all mail servers will retry to send the message for up to 5 days or so. In the meantime, you have the option to read your logs, inspect mails that you are rejecting (if you enabled the option to save them on disk) and possibly whitelist the mail so that you accept it next time it comes around Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From merlins.org at paulm.com Wed Nov 20 01:33:06 2002 From: merlins.org at paulm.com (Paul Makepeace) Date: Wed, 20 Nov 2002 01:33:06 +0000 Subject: [SA-exim] sa-exim 2.2 feedback? In-Reply-To: <20021119210530.GY8079@merlins.org> References: <8A50AF98713A694492CE770792853432048C9E@CCHSA5.int.cchsa.ca> <20021119210530.GY8079@merlins.org> Message-ID: <20021120013306.GA22430@mythix.realprogrammers.com> On Tue, Nov 19, 2002 at 01:05:30PM -0800, Marc MERLIN wrote: > On Tue, Nov 19, 2002 at 03:59:17PM -0500, Ariel Sandberg wrote: > > Can you tell me what exactly tempreject does? I was reading through the > > documented config file but am a little uncertain when and why I would need > > it? > > tempreject tells the remote mail server that you are temporarily not > accepting their Email. Almost all mail servers will retry to send the > message for up to 5 days or so. > In the meantime, you have the option to read your logs, inspect mails that > you are rejecting (if you enabled the option to save them on disk) and > possibly whitelist the mail so that you accept it next time it comes around Here's an idea I've had floating about for a while: Would it be possible to have tempreject somehow wait for a preset period, so keep defering it for say four hours? I presume this would need to hook into a DBM file or some store to keep track, with an MD5 or Nilsimsa sig key for the message. The purpose would be to ultimately accept the message but give the collaborative databases (blacklists, razor, DCC, others?) time to react. If the message ended up annoying any of those lists it might tip its SA score into the permreject bin. Looking at the local_scan code etc has been on my todo list for a bit. If there's interest in this and folks think it's viable/reasonable I would spend some time on this idea. Cheers, Paul PS Thank you Marc for the work! I'm running the patched, pre-teergrubbe code on a couple of boxes. -- Paul Makepeace ....................................... http://paulm.com/ "What is God? A pox on you for asking such a thing!" -- http://paulm.com/toys/surrealism/ From marc at merlins.org Fri Nov 22 15:47:30 2002 From: marc at merlins.org (Marc MERLIN) Date: Fri, 22 Nov 2002 07:47:30 -0800 Subject: [SA-exim] sa-exim 2.2 feedback? In-Reply-To: <20021120013306.GA22430@mythix.realprogrammers.com> References: <8A50AF98713A694492CE770792853432048C9E@CCHSA5.int.cchsa.ca> <20021119210530.GY8079@merlins.org> <20021120013306.GA22430@mythix.realprogrammers.com> Message-ID: <20021122154730.GL6029@merlins.org> On Wed, Nov 20, 2002 at 01:33:06AM +0000, Paul Makepeace wrote: > Would it be possible to have tempreject somehow wait for a preset > period, so keep defering it for say four hours? I presume this would > need to hook into a DBM file or some store to keep track, with an MD5 or > Nilsimsa sig key for the message. Right. Well, I guess you *could* just save the message-id and do a stat on it when the mail comes back and accept it if the diff is big enough > The purpose would be to ultimately accept the message but give the > collaborative databases (blacklists, razor, DCC, others?) time to react. > If the message ended up annoying any of those lists it might tip its SA > score into the permreject bin. I get the idea, yes. > Looking at the local_scan code etc has been on my todo list for a bit. > If there's interest in this and folks think it's viable/reasonable I > would spend some time on this idea. I don't think I will implement that myself because I don't really need it that badly, but that sounds like a decent plan. I think the simplest way to implement that would be: - require admin to save Emails for which you issued a tempredirect (by only using the message-id as the filename, not unixtime_mesgid) - If a message triggers tempreject, before saving it, check if it's already there on disk - if it's there, look at the time delta and if the delta is too small, don't save the message a second time and issue a tempredirect again - if the time delta is bigger than a config value, accept the message If you're worried about not saving too much of the message, you can set SAmaxbody to a very small value. Come to think of it, this doesn't sound that hard to implement, I may actually write it, but this will wait for the next time I feel compelled with muck with the code, which may not be anytime soon :-) (of course, I would accept a patch) > PS Thank you Marc for the work! I'm running the patched, pre-teergrubbe > code on a couple of boxes. Glad to hear it's useful to a few other people than me :-) Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From dmabe at runningland.com Fri Nov 22 22:03:52 2002 From: dmabe at runningland.com (Mabe, David M) Date: Fri, 22 Nov 2002 17:03:52 -0500 Subject: [SA-exim] PANIC: SA: could not parse X-Spam-Status Message-ID: <1E3CDC3D20FEFC469492E5AC0B47421102C77F@server3.runningland.com> I get messages in my exim logs that look like this, and messages get written to the SAerrorsave directory. Other than this annoyance, it seems like everything is working correctly and the messages actually get delivered. Does this indicate something is wrong? Do I have some configuration setting incorrectly set? Thanks! Dave 2002-11-22 16:57:00 18FH6u-0002UH-00 SA: PANIC: SA: could not parse X-Spam-Status: to extract hits and required. Bad!. Got: 'X-Spam-Status: No, hits=3D2.8 req uired=3D5.0 tests=3DBIG_FONT,HTML_70_90,SPAM_PHRASE_05_08 version=3D2.43 ' (but message was accepted) 2002-11-22 16:57:00 18FH6u-0002UH-00 SA: Writing message to /var/spool/exim/SAerrorsave//1037984220_89D097CC1D003643BB9F13714BA9723B 0220E21E@OCCLUST01EVS1.u gd.att.com From marc at merlins.org Fri Nov 22 22:14:59 2002 From: marc at merlins.org (Marc MERLIN) Date: Fri, 22 Nov 2002 14:14:59 -0800 Subject: [SA-exim] PANIC: SA: could not parse X-Spam-Status In-Reply-To: <1E3CDC3D20FEFC469492E5AC0B47421102C77F@server3.runningland.com> References: <1E3CDC3D20FEFC469492E5AC0B47421102C77F@server3.runningland.com> Message-ID: <20021122221459.GB8079@merlins.org> On Fri, Nov 22, 2002 at 05:03:52PM -0500, Mabe, David M wrote: > I get messages in my exim logs that look like this, and messages get > written to the SAerrorsave directory. Other than this annoyance, it > seems like everything is working correctly and the messages actually get > delivered. Does this indicate something is wrong? Do I have some > configuration setting incorrectly set? > > Thanks! > Dave > > 2002-11-22 16:57:00 18FH6u-0002UH-00 SA: PANIC: SA: could not parse > X-Spam-Status: to extract hits and required. Bad!. Got: 'X-Spam-Status: > No, hits=2.8 req > uired=5.0 Mmmh, does spamc (if you run it by hand against the EMail) really output req uired=x.x SA-Exim gets very confused if it gets an X-Spam-Status line truncated in the middle like that... For reference, it's supposed to look like this: X-Spam-Status: No, hits=-98.1 required=7.0 tests=FROM_AND_TO_SAME_1,NO_REAL_NAME,SPAM_PHRASE_03_05, USER_IN_WHITELIST version=2.41 BTW, which version of SA are you using? Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key