From coax at cornernet.com Tue Nov 4 12:57:48 2003 From: coax at cornernet.com (Coax) Date: Tue Nov 4 10:58:19 2003 Subject: [SA-exim] SA-Exim feature request.. Possible? Impossible? Message-ID: Hiya, Marc. CornerNet is now running sa-exim, throwing away anything that is of SA score 15 or higher. (in short, anything that is really obvious.) However, I do end up having to run spamassassin a second time in a global procmail, as we do have some users who have specifically stated that they do not wish any spam to be thrown from their mailbox, or to have a special configuration of some kind. (whitelists, blacklists, etc.) we're throwing the obvious stuff now; they don't have a choice about that anymore. it would be *REAL* nice to avoid having to do SpamAssassin that second time. Is there a way we could get exim to call spamc using the preferences from the user(s) in the local part of the message? I honestly doubt it because I don't think sa-exim calls spamassassin directly for multiple local parts in a message... Only once, using the global preferences file, or the preferences file of the calling user (in this case on my system, 'mail') There's got to be some way to cleanly get around this problem. Any ideas? Chad From richard at lithvall.se Wed Nov 5 12:31:47 2003 From: richard at lithvall.se (Richard Lithvall) Date: Wed Nov 5 03:32:15 2003 Subject: [SA-exim] SA-Exim feature request.. Possible? Impossible? In-Reply-To: References: Message-ID: <3FA8DFA3.9060208@lithvall.se> Coax wrote: > Is there a way we could get exim to call spamc using the preferences from > the user(s) in the local part of the message? > > I honestly doubt it because I don't think sa-exim calls spamassassin > directly for multiple local parts in a message... Only once, using the > global preferences file, or the preferences file of the calling user (in > this case on my system, 'mail') Correct. > There's got to be some way to cleanly get around this problem. > > Any ideas? Depending on what you want to accomplish you could do some or all of the following: 1. Save permanently rejected messages and run a script[1] that resends the message to those that don't want anything thrown away (spammers still think that the message were rejected) 2. Use individual exim filters that checks for SA headers and throws high scored messages away [2] 3. Use individual exim filters that runs SA once more for those who wants to maintain local SA rules. /Richard [1] An example of such a script can be found here: (It takes a saved message file as argument and resends it to all recipients) [2] For example like this: # Exim filter if $header_X-Spam-Level: begins "**********" and $header_X-SA-Do-Not-Rej: begins "Yes" then seen finish endif From rick at linuxmafia.com Sun Nov 16 12:27:58 2003 From: rick at linuxmafia.com (Rick Moen) Date: Sun Nov 16 12:27:25 2003 Subject: [SA-exim] Side-effect involving mailing lists Message-ID: <20031116202758.GI361@linuxmafia.com> I'll admit to being a bit lazy in this, so feel welcome to tell me "Read Your Friendly exim4.conf File" or "Read the Friendly Pipermail Archive" -- but this might at least be mildly entertaining. I _love_ sa-exim's teergrubing -- even though there are some unintended consequences with relayed mail in sundry forms (backup MX, mailing lists). 1. The first couple of days after converting to sa-exim, I realised I was tarpitting my main backup MX, Richard Couture's myrddin.imat.com: Richard clings to an old-school "all mail is sacred" admin philosophy, was relaying large amounts of spam, and accordingly was getting "451 Please try again later" upon attempting redelivery. When I realised this, I wrote Richard to thank him for years of generous help and discontinued all backup MX service. (Speculation: The notion of backup MXes will be collateral damage in the spam war: Unless all your MXes use the same antispam policy, they'll tend to sanction one another.) 2. Similarly, I've noticed my system teergrubing spam-permissive mailing lists: Date: 16 Nov 2003 12:24:59 -0000 From: license-discuss-help@opensource.org To: rick@linuxmafia.com Subject: ezmlm warning Hi! This is the ezmlm program. I'm managing the license-discuss@opensource.org mailing list. Messages to you seem to have been bouncing. I've attached a copy of the first bounce message I received. If this message bounces too, I will send you a probe. If the probe bounces, I will remove your address from the mailing list, without further notice. I've kept a list of which messages bounced from your address. Copies of these messages may be in the archive. To get message 12345 from the archive, send an empty note to license-discuss-get.12345@opensource.org. Here are the message numbers: 7365 --- Below this line is a copy of the bounce message I received. Return-Path: <> Received: (qmail 30581 invoked for bounce); 4 Nov 2003 17:58:16 -0000 Date: 4 Nov 2003 17:58:15 -0000 From: MAILER-DAEMON@ns.crynwr.com To: license-discuss-return-7365-@opensource.org Subject: failure notice Hi. This is the qmail-send program at ns.crynwr.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : 198.144.195.186 failed after I sent the message. Remote host said: 451 Please try again later I'm not going to try again; this message has been in the queue too long. Anyone want to advise DJB of the distinction between SMTP rejects and "bouncing"? I'm not volunteering. ;-> Just to confirm my strong suspicion, I asked EZMLM to send me post #7365. Indeed, it's classic 419 scam-spam. Separately, Yahoo Groups has put me on "nomail" several times for "bouncing" [sic] its crappy mailing lists' relayed spam -- though that's trivial to reverse. What I'm curious about is: What's a reasonable way to deal with this problem? I'm tempted to label the "problem" serendipitous, and conclude that spam-permissive listadmins _should_ be teergrubed into oblivion, but what do people do for spam-permissive mailing lists they want to read, not get spam from, and not get thrown off on account of teergrubing them? -- Cheers, * Contributing Editor, Linux Gazette * Rick Moen -*- See the Linux Gazette in its new home: -*- rick@linuxmafia.com From marc at merlins.org Sun Nov 16 13:37:48 2003 From: marc at merlins.org (Marc MERLIN) Date: Sun Nov 16 13:37:49 2003 Subject: [SA-exim] Side-effect involving mailing lists In-Reply-To: <20031116202758.GI361@linuxmafia.com> References: <20031116202758.GI361@linuxmafia.com> Message-ID: <20031116213748.GH19132@merlins.org> On Sun, Nov 16, 2003 at 12:27:58PM -0800, Rick Moen wrote: > 1. The first couple of days after converting to sa-exim, I realised > I was tarpitting my main backup MX, Richard Couture's myrddin.imat.com: > Richard clings to an old-school "all mail is sacred" admin philosophy, > was relaying large amounts of spam, and accordingly was getting > "451 Please try again later" upon attempting redelivery. Yep, absolutely. This only works if you control the MXes too, especially as some spam goes to the secondary MXes without ever trying a delivery to the primary one. That's why the config file has this: # Please, don't teergrube people you relay for you or your own MXes :-) SAteergrubecond: ${if and { {!eq {$sender_host_address}{204.80.101.251}} {!eq {$ sender_host_address}{198.186.202.175}} {!eq {$sender_host_address}{194.2.204.37} } {!eq {$sender_host_address}{216.239.45.4}} {!eq {$sender_host_address}{216.109 .84.130}} } {1}{0}} I personally don't use backup MXes unless I have full control over them. It's been more trouble than it's helped otherwise > 2. Similarly, I've noticed my system teergrubing spam-permissive > mailing lists: Yeah, that happens to me once in a while. When they don't run a smart MLM with VERP, I just let them bounce to teach the ML host not to relay spam :) Other times, I whitelist the list in SA's config, so teergrubing doesn't kick in. > Remote host said: 451 Please try again later > I'm not going to try again; this message has been in the queue too long. > > Anyone want to advise DJB of the distinction between SMTP rejects > and "bouncing"? I'm not volunteering. ;-> Technically that's a temp reject that looks suspiciously like you're over quota or something. I don't think it's wrong for an MLM to do this. I also bounce some of bugtraq's mails because the header from is forged. > Separately, Yahoo Groups has put me on "nomail" several times for > "bouncing" [sic] its crappy mailing lists' relayed spam -- though that's > trivial to reverse. Yep, same here. > What I'm curious about is: What's a reasonable way to deal with this > problem? I'm tempted to label the "problem" serendipitous, and conclude > that spam-permissive listadmins _should_ be teergrubed into oblivion. It's a bit harsh in my opinion. I would only reject the mail, not teergrube the ML host. No need to over-punish them (the only exception I've made to this rule is the sfs list hosted at MIT which received 5 spams for each good message at some point). > but what do people do for spam-permissive mailing lists they want to > read, not get spam from, and not get thrown off on account of teergrubing > them? Tag the message, accept it, and /dev/null it. Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From rick at linuxmafia.com Sun Nov 16 14:43:21 2003 From: rick at linuxmafia.com (Rick Moen) Date: Sun Nov 16 14:42:47 2003 Subject: [SA-exim] Side-effect involving mailing lists In-Reply-To: <20031116213748.GH19132@merlins.org> References: <20031116202758.GI361@linuxmafia.com> <20031116213748.GH19132@merlins.org> Message-ID: <20031116224321.GA21766@linuxmafia.com> Quoting Marc MERLIN (marc@merlins.org): > Yep, absolutely. This only works if you control the MXes too, > especially as some spam goes to the secondary MXes without ever trying > a delivery to the primary one. You'll notice the way I phrased this was "Unless all your MXes use the same antispam policy, they'll tend to sanction one another." (Or be tempted to, in any event.) This is why my current advice to admins is to jettison the backup-MX idea: If you can't get a primary mail host back on-line in three days, you have bigger problems. > That's why the config file has this: > # Please, don't teergrube people you relay for you or your own MXes :-) > SAteergrubecond: ${if and { {!eq > {$sender_host_address}{204.80.101.251}} {!eq {$ > sender_host_address}{198.186.202.175}} {!eq > {$sender_host_address}{194.2.204.37} } {!eq > {$sender_host_address}{216.239.45.4}} {!eq > {$sender_host_address}{216.109 .84.130}} } {1}{0}} OK, I'll look up the IPs of the problem MLM hosts, and append conditionals for them. Question: Might this be worth breaking out into a /etc/exim4/sa-exim-whitelist-ips file, if only because otherwise the syntax is a bit error-prone? Alteratively, they could be in multiple lines like: SAteergrube_not: nnn.nnn.nnn.nnn (Feel welcome to advise me to send a patch.) ;-> > Other times, I whitelist the list in SA's config, so teergrubing doesn't > kick in. Just to confirm, you're talking about the aforementioned SAteergrubecond line, right? -- Cheers, A: No. Rick Moen Q: Should I include quotations after my reply? rick@linuxmafia.com From rick at linuxmafia.com Sun Nov 16 14:56:44 2003 From: rick at linuxmafia.com (Rick Moen) Date: Sun Nov 16 14:56:09 2003 Subject: [SA-exim] Side-effect involving mailing lists In-Reply-To: <20031116224321.GA21766@linuxmafia.com> References: <20031116202758.GI361@linuxmafia.com> <20031116213748.GH19132@merlins.org> <20031116224321.GA21766@linuxmafia.com> Message-ID: <20031116225644.GA21849@linuxmafia.com> Quoting myself: > OK, I'll look up the IPs of the problem MLM hosts, and append > conditionals for them. I may be missing something important, but I see some pragmatic obstacles, e.g., with Yahoo Groups. A post from one such had Received lines like this: Received: from n21.grp.scd.yahoo.com ([66.218.66.77]:5601) by linuxmafia.com with smtp (Exim 4.22 #1) id 1AKtJf-0003Io-6J for ; Fri, 14 Nov 2003 21:49:51 -0800 Received: from [66.218.66.98] by n21.grp.scd.yahoo.com with NNFMP; 15 Nov 2003 05:49:09 -0000 Received: (qmail 92371 invoked from network); 15 Nov 2003 05:49:06 -0000 Received: from unknown (66.218.66.217) by m15.grp.scd.yahoo.com with QMQP; 15 Nov 2003 05:49:06 -0000 Received: from unknown (HELO n3.grp.scd.yahoo.com) (66.218.66.86) by mta2.grp.scd.yahoo.com with SMTP; 15 Nov 2003 05:49:06 -0000 Received: from [66.218.67.139] by n3.grp.scd.yahoo.com with NNFMP; 15 Nov 2003 05:48:24 -0000 Received: (qmail 59930 invoked from network); 14 Nov 2003 20:00:35 -0000 Received: from unknown (66.218.66.216) by m12.grp.scd.yahoo.com with QMQP; 14 Nov 2003 20:00:35 -0000 Received: from unknown (HELO n21.grp.scd.yahoo.com) (66.218.66.77) by mta1.grp.scd.yahoo.com with SMTP; 14 Nov 2003 20:00:35 -0000 Received: from [66.218.67.177] by n21.grp.scd.yahoo.com with NNFMP; 14 Nov 2003 20:00:35 -0000 That is, it seems very likely that I'd want to whitelist the entire class C, not just 66.218.66.98. Mind posting some clues about that? (If I'm being excessively lazy, please do say so. I'm not expecting handholding. Honestly.) -- Cheers, "My file system's got no nodes!" Rick Moen "How does it shell?" rick@linuxmafia.com From marc at merlins.org Sun Nov 16 14:59:29 2003 From: marc at merlins.org (Marc MERLIN) Date: Sun Nov 16 14:59:31 2003 Subject: [SA-exim] Side-effect involving mailing lists In-Reply-To: <20031116224321.GA21766@linuxmafia.com> References: <20031116202758.GI361@linuxmafia.com> <20031116213748.GH19132@merlins.org> <20031116224321.GA21766@linuxmafia.com> Message-ID: <20031116225929.GI19132@merlins.org> On Sun, Nov 16, 2003 at 02:43:21PM -0800, Rick Moen wrote: > > That's why the config file has this: > > # Please, don't teergrube people you relay for you or your own MXes :-) > > SAteergrubecond: ${if and { {!eq > > {$sender_host_address}{204.80.101.251}} {!eq {$ > > sender_host_address}{198.186.202.175}} {!eq > > {$sender_host_address}{194.2.204.37} } {!eq > > {$sender_host_address}{216.239.45.4}} {!eq > > {$sender_host_address}{216.109 .84.130}} } {1}{0}} > > OK, I'll look up the IPs of the problem MLM hosts, and append > conditionals for them. Question: Might this be worth breaking out > into a /etc/exim4/sa-exim-whitelist-ips file, if only because otherwise > the syntax is a bit error-prone? The teergrube condition could be based on anything, people are welcome to type any valid exim parseable statement there (some use mysql, some check for other things like header data, etc, etc...) Looking in /etc/exim4/sa-exim-whitelist-ips is fine. If people want to contribute interesting conditions, I don't mind adding them as samples in the config file. > Alteratively, they could be in multiple lines like: > > SAteergrube_not: nnn.nnn.nnn.nnn I don't really see the point. This can all be done with the statement above > > Other times, I whitelist the list in SA's config, so teergrubing doesn't > > kick in. > > Just to confirm, you're talking about the aforementioned SAteergrubecond > line, right? No, you can whitelist them in SA's local.cf too Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From marc at merlins.org Sun Nov 16 15:01:04 2003 From: marc at merlins.org (Marc MERLIN) Date: Sun Nov 16 15:01:05 2003 Subject: [SA-exim] Side-effect involving mailing lists In-Reply-To: <20031116225644.GA21849@linuxmafia.com> References: <20031116202758.GI361@linuxmafia.com> <20031116213748.GH19132@merlins.org> <20031116224321.GA21766@linuxmafia.com> <20031116225644.GA21849@linuxmafia.com> Message-ID: <20031116230104.GJ19132@merlins.org> On Sun, Nov 16, 2003 at 02:56:44PM -0800, Rick Moen wrote: > Quoting myself: > > > OK, I'll look up the IPs of the problem MLM hosts, and append > > conditionals for them. > > I may be missing something important, but I see some pragmatic > obstacles, e.g., with Yahoo Groups. A post from one such had Received > lines like this: I whitelist MLM by looking at headers and either adjusting the SA score accordingly (which I do now), or making some headers disable teergrube By headers, you could say "if received line has yahoo in there" for instance Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From rick at linuxmafia.com Sun Nov 16 15:49:26 2003 From: rick at linuxmafia.com (Rick Moen) Date: Sun Nov 16 15:48:52 2003 Subject: [SA-exim] Side-effect involving mailing lists In-Reply-To: <20031116225929.GI19132@merlins.org> References: <20031116202758.GI361@linuxmafia.com> <20031116213748.GH19132@merlins.org> <20031116224321.GA21766@linuxmafia.com> <20031116225929.GI19132@merlins.org> Message-ID: <20031116234926.GB21766@linuxmafia.com> Quoting Marc MERLIN (marc@merlins.org): > The teergrube condition could be based on anything, people are welcome to > type any valid exim parseable statement there (some use mysql, some check > for other things like header data, etc, etc...) [...] > I whitelist MLM by looking at headers and either adjusting the SA score > accordingly (which I do now), or making some headers disable teergrube > By headers, you could say "if received line has yahoo in there" for > instance Clearly, I should have spent more time reading /usr/share/doc/sa-exim/README.gz (where you warn about all this), but was in a hurry because my Exim3 & SA setup was collapsing under spam load, so I converted it under rather stressed conditions. Off the top of my head, I'm not sure how to write an exim parseable statement that equates to "if Received line has .grp.scd.yahoo.com in there", but that's my problem. Hmm, probably: {!eq {$h_Received:}{^.*grp\.scd\.yahoo.\com.*\$}} I wouldn't want to whitelist everything whose Received headers claim it to have originated at Yahoo, I think. Oh, and I wanted to say _thank you_ for sa-exim. -- Cheers, "I don't like country music, but I don't mean to denigrate Rick Moen those who do. And, for the people who like country music, rick@linuxmafia.com denigrate means 'put down'." -- Bob Newhart From tonye at billy.demon.nl Sun Nov 16 23:15:31 2003 From: tonye at billy.demon.nl (Tony Earnshaw) Date: Sun Nov 16 20:52:25 2003 Subject: [SA-exim] Side-effect involving mailing lists In-Reply-To: <20031116202758.GI361@linuxmafia.com> References: <20031116202758.GI361@linuxmafia.com> Message-ID: <3FB7F703.7030801@billy.demon.nl> Rick Moen wrote: > I'll admit to being a bit lazy in this, so feel welcome to tell me "Read > Your Friendly exim4.conf File" or "Read the Friendly Pipermail Archive" > -- but this might at least be mildly entertaining. [...] > What I'm curious about is: What's a reasonable way to deal with this > problem? I'm tempted to label the "problem" serendipitous, and conclude > that spam-permissive listadmins _should_ be teergrubed into oblivion, > but what do people do for spam-permissive mailing lists they want to > read, not get spam from, and not get thrown off on account of teergrubing > them? Thanks for a witty and amusing piece.Though I was ensnared by SA-Exim's teergrubing at first, I found out that using it simply goes paired with that feeling of gratification it gives. In the end I found that it causes more mutual harm than good, though. Just make sure that you don't subscribe to mailing lists that also use gmane or whatever to publish to usenet - at least not with your regular email address and the strategy you've outlined. The Swen and Mimail hords are far much more worth worrying about than the odd mailing-list spam - and you can't teergrube anyone who cares who's sending you those bots. You court them by visiting dirty places, or if you're a Windows ingenue, you just click. --Tonni -- Tony Earnshaw If my mail server refuses your mail (Swen attack), resend to: billy@billy.demon.nl http: www.billy.demon.nl From torsten at archesoft.de Sat Nov 22 17:47:45 2003 From: torsten at archesoft.de (Torsten Mueller) Date: Sat Nov 22 08:47:19 2003 Subject: [SA-exim] Remove SA Header for non SPAM Message-ID: <3FBF9331.109194EC@archesoft.de> Hello, i run SA v 2.60, and sa-exim as local_scan_path = /usr/local/exim/lib/sa-exim.so i want to exclude the SA header from non SPAM mails. I tested some configurations, but didn't succeed. Thank you Torsten My current config: SA -> local.cf skip_rbl_checks 1 use_razor2 0 use_dcc 0 use_pyzor 0 report_header 1 use_terse_report 1 always_add_report 0 rewrite_subject 0 report_safe 0 sa-exim.conf SAEximDebug: 1 SAspamcpath: /usr/bin/spamc SAEximRunCond: ${if and {{def:sender_host_address} {!eq {$sender_host_address}{127.0.0.1}} {!eq {$h_X-SA-Do-Not-Run:}{Yes}} } {1}{0}} SAEximRejCond: ${if !eq {$h_X-SA-Do-Not-Rej:}{Yes} {1}{0}} SAmaxbody: 256000 SATruncBodyCond: 0 SARewriteBody: 0 SAPrependArchiveWithFrom: 1 SAmaxarchivebody: 20971520 SAerrmaxarchivebody: 1073741824 SAmaxrcptlistlength: 0 SAaddSAEheaderBeforeSA: 1 SAtimeout: 240 SAtimeoutsave: /var/log/exim/SAtimeoutsave SAtimeoutSavCond: 1 SAerrorsave: /var/log/exim/SAerrorsave SAerrorSavCond: 1 SAtemprejectonerror: 0 SAteergrube: 25.0 SAteergrubetime: 900 SAteergrubeSavCond: 1 SAteergrubesave: /var/log/exim/SAteergrube SAteergrubeoverwrite: 1 SAdevnullSavCond: 1 SAdevnullsave: /var/log/exim/SAdevnull SApermreject: 12.0 SApermrejectSavCond: 1 SApermrejectsave: /var/log/exim/SApermreject SAtempreject: 10.0 SAtemprejectSavCond: 1 SAtemprejectsave: /var/log/exim/SAtempreject SAtemprejectoverwrite: 1 SAspamacceptsave: /var/log/exim/SAspamaccept SAspamacceptSavCond: 0 SAnotspamsave: /var/log/exim/SAnotspam SAnotspamSavCond: 0 SAmsgteergrubewait: wait for more output SAmsgteergruberej: Please try again later SAmsgpermrej: Rejected SAmsgtemprej: Please try again later SAmsgerror: Temporary local error while processing message, please contact postmaster From marc at merlins.org Sat Nov 22 09:26:27 2003 From: marc at merlins.org (Marc MERLIN) Date: Sat Nov 22 09:26:29 2003 Subject: [SA-exim] Remove SA Header for non SPAM In-Reply-To: <3FBF9331.109194EC@archesoft.de> References: <3FBF9331.109194EC@archesoft.de> Message-ID: <20031122172627.GC10075@merlins.org> On Sat, Nov 22, 2003 at 05:47:45PM +0100, Torsten Mueller wrote: > Hello, > > i run SA v 2.60, and sa-exim as > local_scan_path = /usr/local/exim/lib/sa-exim.so > > i want to exclude the SA header from non SPAM mails. > I tested some configurations, but didn't succeed. You need to remove the headers SA puts in exim.conf (see header remove), or in exim's system_filter Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From dmd at 3e.org Sun Nov 23 16:12:07 2003 From: dmd at 3e.org (Daniel M. Drucker) Date: Sun Nov 23 13:12:10 2003 Subject: [SA-exim] whitelists at smtp time Message-ID: <004201c3b206$746156b0$0100a8c0@udon> Can anyone help me figure out how to obey user whitelists from SQL at smtp-time? Let's say I have a row in my SA userpref table that looks like this: (username, preference, value, prefid) dmd@3e.org, whitelist_from, *@psych.upenn.edu, 42 I want an "accept sender" line in exim.conf which will pass a spammy mail coming from anyuser@psych.upenn.edu so that whitelists are respected properly and very spammy mail isn't blocked at SMTP-time. There are two problems causing this. First, spamassassin preferences use filename globbing syntax, whereas mysql's "rlike" uses real regexps. Mysql wants something like .*@psych.upenn.edu whereas spamassassin wants *@psych.upenn.edu Second, the whole reason I need that accept sender directive is that SA is only respecting "nobody"'s whitelist_from preferences when run at SMTP-time. If there were a way to get SA to respect ALL users' whitelist_from entries, the accept_sender line would not be needed, because SA wouldn't trigger on the spammy mail anyway. Suggestions/help? Daniel Drucker From denis at rybin.ru Wed Nov 26 09:51:29 2003 From: denis at rybin.ru (Denis Rybin) Date: Tue Nov 25 22:51:58 2003 Subject: [SA-exim] spam have delivered Message-ID: <1691130515.20031126095129@telmos.ru> Hello! The message have marked as spam and got hits=6.3. But unfortunately have delivered. Can you give an advise? Received: from a180175.upc-a.chello.nl ([62.163.180.175]) by sr4.telmos.ru with smtp (Exim 4.22) id 1AOexl-0005Lw-8r for denis@rybin.ru; Tue, 25 Nov 2003 18:18:50 +0300 Received: from jjsuapwt (HELO uzgrafuj) (10.2.6.77) by 0 with SMTP; Wed, 26 Nov 2003 05:23:24 +0000 From: Message-Id: <31230416952.200311260523@elebczzx.com> To: Date: Wed, 26 Nov 2003 05:23:31 +0000 MIME-Version: 1.0 X-SA-Exim-Mail-From: gctvuipgmg@t-online.de Subject: =?windows-1251?b?4fPy6Oog7uTl5uT7IOTr/yDv7vHy5evoLi4uICB1c3Fh?= Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on sr4.telmos.ru X-Spam-Level: ****** X-Spam-Status: Yes, hits=6.3 required=4.5 tests=NO_REAL_NAME, RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS autolearn=no version=2.60 X-Spam-Report: * 0.3 NO_REAL_NAME From: does not include a real name * 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org * [] * 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see ] * 2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address * [Dynamic/Residential IP range listed by] [easynet.nl DynaBlock - ] * 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS * [62.163.180.175 listed in dnsbl.sorbs.net] X-SA-Exim-Version: 3.1 (built Tue Sep 2 15:15:16 MSD 2003) X-SA-Exim-Scanned: Yes From coax at cornernet.com Wed Nov 26 01:04:28 2003 From: coax at cornernet.com (Coax) Date: Tue Nov 25 23:05:12 2003 Subject: [SA-exim] spam have delivered In-Reply-To: <1691130515.20031126095129@telmos.ru> Message-ID: You know, I've been having the same problem. SpamAssassin, for whatever reason, is not putting in its X-Spam-Flag header. In fact, i've got a few messages here and there that are being marked spam (their subject lines are being rewritten) - that aren't even spam. And of course, the X-Spam-Flag header isnt there, so of course it shows up in my inbox - and i see them. It is getting mighty annoying, but i don't know how to debug the problem since it is so intermittent. Chad > Hello! > > The message have marked as spam and got hits=6.3. But unfortunately > have delivered. Can you give an advise? > > > > Received: from a180175.upc-a.chello.nl ([62.163.180.175]) > by sr4.telmos.ru with smtp (Exim 4.22) > id 1AOexl-0005Lw-8r > for denis@rybin.ru; Tue, 25 Nov 2003 18:18:50 +0300 > Received: from jjsuapwt (HELO uzgrafuj) (10.2.6.77) > by 0 with SMTP; Wed, 26 Nov 2003 05:23:24 +0000 > From: > Message-Id: <31230416952.200311260523@elebczzx.com> > To: > Date: Wed, 26 Nov 2003 05:23:31 +0000 > MIME-Version: 1.0 > X-SA-Exim-Mail-From: gctvuipgmg@t-online.de > Subject: =?windows-1251?b?4fPy6Oog7uTl5uT7IOTr/yDv7vHy5evoLi4uICB1c3Fh?= > Content-Type: text/plain; charset=windows-1251 > Content-Transfer-Encoding: 8bit > X-Spam-Flag: YES > X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on > sr4.telmos.ru > X-Spam-Level: ****** > X-Spam-Status: Yes, hits=6.3 required=4.5 tests=NO_REAL_NAME, > RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_DYNABLOCK,RCVD_IN_SORBS > autolearn=no version=2.60 > X-Spam-Report: > * 0.3 NO_REAL_NAME From: does not include a real name > * 1.1 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org > * [] > * 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net > * [Blocked - see ] > * 2.5 RCVD_IN_DYNABLOCK RBL: Sent directly from dynamic IP address > * [Dynamic/Residential IP range listed by] > [easynet.nl DynaBlock - ] > * 0.1 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS > * [62.163.180.175 listed in dnsbl.sorbs.net] > X-SA-Exim-Version: 3.1 (built Tue Sep 2 15:15:16 MSD 2003) > X-SA-Exim-Scanned: Yes > > > _______________________________________________ > SA-Exim mailing list > SA-Exim@lists.merlins.org > http://lists.merlins.org/lists/listinfo/sa-exim > From lists at timj.co.uk Wed Nov 26 09:09:13 2003 From: lists at timj.co.uk (Tim Jackson) Date: Wed Nov 26 01:09:30 2003 Subject: [SA-exim] spam have delivered In-Reply-To: <1691130515.20031126095129@telmos.ru> References: <1691130515.20031126095129@telmos.ru> Message-ID: <20031126090913.27565311.lists@timj.co.uk> Hi Denis, on Wed, 26 Nov 2003 09:51:29 +0300 you wrote: > The message have marked as spam and got hits=6.3. But unfortunately > have delivered. Can you give an advise? What have you got SApermreject set to? 6.3 is quite low; typically (and by default) permreject is higher than that. Tim From ross at biostat.ucsf.edu Wed Nov 26 11:04:05 2003 From: ross at biostat.ucsf.edu (Ross Boylan) Date: Wed Nov 26 11:04:18 2003 Subject: [SA-exim] environment for sa-exim.conf Message-ID: <1069873445.12451.65.camel@iron.libaux.ucsf.edu> Is sa-exim.conf evaluated within the environment established by exim.conf? I ask because my list of whitelisted domains is growing, and I'm thinking of using a list rather than coding out each case in a big and statement in SAEximRunCond: Come to think of it, can I define the list in sa-exim.conf? (It looks as if the answer is no, but I thought I'd check). Thanks. -- Ross Boylan wk: (415) 502-4031 530 Parnassus Avenue (Library) rm 115-4 ross@biostat.ucsf.edu Dept of Epidemiology and Biostatistics fax: (415) 476-9856 University of California, San Francisco San Francisco, CA 94143-0840 hm: (415) 550-1062 From marc at merlins.org Wed Nov 26 11:12:09 2003 From: marc at merlins.org (Marc MERLIN) Date: Wed Nov 26 11:12:11 2003 Subject: [SA-exim] environment for sa-exim.conf In-Reply-To: <1069873445.12451.65.camel@iron.libaux.ucsf.edu> References: <1069873445.12451.65.camel@iron.libaux.ucsf.edu> Message-ID: <20031126191209.GC8993@merlins.org> On Wed, Nov 26, 2003 at 11:04:05AM -0800, Ross Boylan wrote: > Is sa-exim.conf evaluated within the environment established by > exim.conf? Mmmh, maybe. It depends what exim does there, I'd try it. > Come to think of it, can I define the list in sa-exim.conf? (It looks as > if the answer is no, but I thought I'd check). You can have an lsearch statement against a file on disk Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From tor at slett.net Wed Nov 26 14:30:38 2003 From: tor at slett.net (Tor Slettnes) Date: Wed Nov 26 14:31:06 2003 Subject: [SA-exim] SA-Exim vs. ExiScan - at an initial glance Message-ID: <1069885838.1663.29.camel@knausen> Having happily used SA-Exim[1] for a few months now, I just discovered the 'ExiScan-ACL'[2] feature in Exim (distributed as a patch, and also included in the 'exim4-daemon-heavy' Debian package - note that the 'exim4' metapackage by default selects 'exim4-daemon-light'). Having seen the best of both worlds, I now want it all! :-} Specifically, from a superficial glance, these are the strengths of ExiScan (as compared to SA-Exim): o Supports 3 types of filtering: - MIME/Attachment filtering (by filename extensions, mime errors..) - Malware scanning (via programs such as MKS AntiVirus, Sophie/Sophos, custom scripts...) - Spam filtering (via SpamAssassin) o Configured in the ACL section of the exim configuration file(s), rather than in its own config file (and so takes advantage of *all* the configuration syntax offered by Exim). For instance, the ACL might be configured to 'accept' a message from local hosts before the ExiScan statements are even reached (whereas SA-Exim is launched on every message, and its configuration needs a separate conditional statement if one does not wish to scan messages from certain hosts, say). o Allows more flexibility in routing, accepting, rejecting messages based on SA's score (through the 'spam' driver which evaluates to true on spam, through internal Exim variables like $spam_score, $spam_report...). o Does not modify the original message unless told to (SA is processing a copy of the message). This may be a disadvantage too; see below. o Talks to 'spamd' directly, rather than launching 'spamc' do do so (should reduce process creation overhead a little..) Conversely, SA-Exim provides these functions not available in ExiScan: o Teergrubing! [3] This alone is probably its biggest advantage, and perhaps enough to choose this over ExiScan... o Ability to save a copy of the message (whether rejected, temporarily rejected, teergrubed, etc..) into a Maildir tree. (Sure, ExiScan provides 'fakereject', but that's a bit harder to get working...) o Preservation of SA's headers, such as 'X-Spam-Status'; useful to keep in EXIM's "rejectlog". (ExiScan provides $spam_report, which can be added in a header, but there seems to be no way to get the "short" spam analysis (SA's _TESTS_ macro) logged using ExiScan). In any case - both of these are really, really powerful Exim add-ons; nobody should live without them. :^} -tor [1] See http://marc.merlins.org/linux/exim/sa.html [2] See http://duncanthrax.net/exiscan-acl/ [3] See http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html From coax at cornernet.com Wed Nov 26 16:40:21 2003 From: coax at cornernet.com (Coax) Date: Wed Nov 26 14:40:55 2003 Subject: [SA-exim] SA-Exim vs. ExiScan - at an initial glance In-Reply-To: <1069885838.1663.29.camel@knausen> Message-ID: > Conversely, SA-Exim provides these functions not available in ExiScan: > > o Teergrubing! [3] This alone is probably its biggest advantage, > and perhaps enough to choose this over ExiScan... Hah. If you do anything in the ACL subsystem, teergrubing is available. Its just a call to 'delay'. :) Refer to Marc's mm9 exim.conf for examples.. That said, sa-exim was written in a different way than ExiScan. Marc's takes advantage of replacing the local_scan function.. There are bound to be pro's and con's to doing it EITHER way.. Chad From coax at cornernet.com Wed Nov 26 17:41:56 2003 From: coax at cornernet.com (Coax) Date: Wed Nov 26 15:42:26 2003 Subject: [SA-exim] Message w/ subject line falsely tagged by SA Message-ID: This is a message (well, the headers anyway) of a message SA falsely tags - and yet isn't spam. 2.70-cvs and 2.60 (the release) both do this. Chad ---------- Forwarded message ---------- Return-path: Envelope-to: coax@cornernet.com Delivery-date: Wed, 26 Nov 2003 17:39:31 -0600 Received: from maile0-wc5.eqm0.net ([64.32.63.88]:56364) by emx1.cornernet.com with esmtp (Exim 4.24 #1) id 1AP9Fn-0001fG-En for ; Wed, 26 Nov 2003 17:39:27 -0600 Received: by maile0-wc5.eqm0.net (PowerMTA(TM) v1.5); Wed, 26 Nov 2003 14:38:04 -0800 (envelope-from ) Errors-To: bounce-a5yuot3o11rgtrmq82vcrvdb@emailbenefits.com Message-ID: From: Emailbenefits To: coax@cornernet.com Mime-Version: 1.0 Date: Wed, 26 Nov 2003 14:38:04 -0800 X-SA-Exim-Mail-From: bounce-a5yuot3o11rgtrmq82vcrvdb@emailbenefits.com Subject: *****SPAM***** #1 Holiday Toy of 2003 - Sold out in stores Content-Type: multipart/alternative; boundary="Boundary_TlOiOcEUbMMqtk_1RSnafQEBzyPG_2uP8" X-SA-Exim-Version: 3.1 (built Tue Nov 4 11:00:37 CST 2003) X-SA-Exim-Scanned: Yes Lines: 69 X-Spam-Checker-Version: SpamAssassin 2.70-cvs (1.218-2003-11-09-exp) on emx1.cornernet.com X-Spam-Report: * 1.6 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100 * [cf: 100] * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org * [64.32.63.88 listed in dnsbl.njabl.org] * 0.6 RCVD_IN_NJABL_SPAM RBL: NJABL: sender is confirmed spam source * [64.32.63.88 listed in dnsbl.njabl.org] * 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net * [Blocked - see ] * 1.3 RCVD_IN_SBL RBL: Received via a relay in Spamhaus Block List * [] * 0.0 CLICK_BELOW Asks you to click below X-Spam-Status: No, hits=6.7 required=7.0 tests=CLICK_BELOW,HTML_MESSAGE, RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_NJABL,RCVD_IN_NJABL_SPAM,RCVD_IN_SBL autolearn=no version=2.70-cvs X-Spam-Level: ****** From marc at merlins.org Wed Nov 26 16:31:57 2003 From: marc at merlins.org (Marc MERLIN) Date: Wed Nov 26 16:32:00 2003 Subject: [SA-exim] Message w/ subject line falsely tagged by SA In-Reply-To: References: Message-ID: <20031127003157.GB3573@merlins.org> On Wed, Nov 26, 2003 at 05:41:56PM -0600, Coax wrote: > This is a message (well, the headers anyway) of a message SA falsely tags > - and yet isn't spam. 1) it looks like spam to me 2) you should send it to an SA list. SA-Exim trusts whatever SA says :) > 2.70-cvs and 2.60 (the release) both do this. > > Chad > > ---------- Forwarded message ---------- > Return-path: > Envelope-to: coax@cornernet.com > Delivery-date: Wed, 26 Nov 2003 17:39:31 -0600 > Received: from maile0-wc5.eqm0.net ([64.32.63.88]:56364) > by emx1.cornernet.com with esmtp (Exim 4.24 #1) > id 1AP9Fn-0001fG-En > for ; Wed, 26 Nov 2003 17:39:27 -0600 > Received: by maile0-wc5.eqm0.net (PowerMTA(TM) v1.5); Wed, > 26 Nov 2003 14:38:04 -0800 (envelope-from > ) > Errors-To: bounce-a5yuot3o11rgtrmq82vcrvdb@emailbenefits.com > Message-ID: > From: Emailbenefits > To: coax@cornernet.com > Mime-Version: 1.0 > Date: Wed, 26 Nov 2003 14:38:04 -0800 > X-SA-Exim-Mail-From: bounce-a5yuot3o11rgtrmq82vcrvdb@emailbenefits.com > Subject: *****SPAM***** #1 Holiday Toy of 2003 - Sold out in stores > Content-Type: multipart/alternative; > boundary="Boundary_TlOiOcEUbMMqtk_1RSnafQEBzyPG_2uP8" > X-SA-Exim-Version: 3.1 (built Tue Nov 4 11:00:37 CST 2003) > X-SA-Exim-Scanned: Yes > Lines: 69 > X-Spam-Checker-Version: SpamAssassin 2.70-cvs (1.218-2003-11-09-exp) on > emx1.cornernet.com > X-Spam-Report: > * 1.6 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between > 51 and 100 > * [cf: 100] > * 0.0 HTML_MESSAGE BODY: HTML included in message > * 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > * 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org > * [64.32.63.88 listed in dnsbl.njabl.org] > * 0.6 RCVD_IN_NJABL_SPAM RBL: NJABL: sender is confirmed spam > source > * [64.32.63.88 listed in dnsbl.njabl.org] > * 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in > bl.spamcop.net > * [Blocked - see ] > * 1.3 RCVD_IN_SBL RBL: Received via a relay in Spamhaus Block List > * [] > * 0.0 CLICK_BELOW Asks you to click below > X-Spam-Status: No, hits=6.7 required=7.0 tests=CLICK_BELOW,HTML_MESSAGE, > RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET, > RCVD_IN_NJABL,RCVD_IN_NJABL_SPAM,RCVD_IN_SBL autolearn=no > version=2.70-cvs > X-Spam-Level: ****** > > > _______________________________________________ > SA-Exim mailing list > SA-Exim@lists.merlins.org > http://lists.merlins.org/lists/listinfo/sa-exim > -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key From coax at cornernet.com Wed Nov 26 18:35:16 2003 From: coax at cornernet.com (Coax) Date: Wed Nov 26 16:35:52 2003 Subject: [SA-exim] Message w/ subject line falsely tagged by SA In-Reply-To: <20031127003157.GB3573@merlins.org> Message-ID: It *IS* spam, but SA shouldnt have changed the subject line given that the score wasn't high enough. (and it didn't add an X-Spam-Flag header, so..) See if I ever report a bug to YOU again! *HARUMPH* ITS ALL YOUR FAULT! Etc.etc.etc. So, where do i send that pizza? :) Chad > 1) it looks like spam to me > 2) you should send it to an SA list. SA-Exim trusts whatever SA says :) > > > 2.70-cvs and 2.60 (the release) both do this. > > > > Chad > > > > ---------- Forwarded message ---------- > > Return-path: > > Envelope-to: coax@cornernet.com > > Delivery-date: Wed, 26 Nov 2003 17:39:31 -0600 > > Received: from maile0-wc5.eqm0.net ([64.32.63.88]:56364) > > by emx1.cornernet.com with esmtp (Exim 4.24 #1) > > id 1AP9Fn-0001fG-En > > for ; Wed, 26 Nov 2003 17:39:27 -0600 > > Received: by maile0-wc5.eqm0.net (PowerMTA(TM) v1.5); Wed, > > 26 Nov 2003 14:38:04 -0800 (envelope-from > > ) > > Errors-To: bounce-a5yuot3o11rgtrmq82vcrvdb@emailbenefits.com > > Message-ID: > > From: Emailbenefits > > To: coax@cornernet.com > > Mime-Version: 1.0 > > Date: Wed, 26 Nov 2003 14:38:04 -0800 > > X-SA-Exim-Mail-From: bounce-a5yuot3o11rgtrmq82vcrvdb@emailbenefits.com > > Subject: *****SPAM***** #1 Holiday Toy of 2003 - Sold out in stores > > Content-Type: multipart/alternative; > > boundary="Boundary_TlOiOcEUbMMqtk_1RSnafQEBzyPG_2uP8" > > X-SA-Exim-Version: 3.1 (built Tue Nov 4 11:00:37 CST 2003) > > X-SA-Exim-Scanned: Yes > > Lines: 69 > > X-Spam-Checker-Version: SpamAssassin 2.70-cvs (1.218-2003-11-09-exp) on > > emx1.cornernet.com > > X-Spam-Report: > > * 1.6 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between > > 51 and 100 > > * [cf: 100] > > * 0.0 HTML_MESSAGE BODY: HTML included in message > > * 0.9 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) > > * 0.1 RCVD_IN_NJABL RBL: Received via a relay in dnsbl.njabl.org > > * [64.32.63.88 listed in dnsbl.njabl.org] > > * 0.6 RCVD_IN_NJABL_SPAM RBL: NJABL: sender is confirmed spam > > source > > * [64.32.63.88 listed in dnsbl.njabl.org] > > * 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in > > bl.spamcop.net > > * [Blocked - see ] > > * 1.3 RCVD_IN_SBL RBL: Received via a relay in Spamhaus Block List > > * [] > > * 0.0 CLICK_BELOW Asks you to click below > > X-Spam-Status: No, hits=6.7 required=7.0 tests=CLICK_BELOW,HTML_MESSAGE, > > RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,RCVD_IN_BL_SPAMCOP_NET, > > RCVD_IN_NJABL,RCVD_IN_NJABL_SPAM,RCVD_IN_SBL autolearn=no > > version=2.70-cvs > > X-Spam-Level: ****** > > > > > > _______________________________________________ > > SA-Exim mailing list > > SA-Exim@lists.merlins.org > > http://lists.merlins.org/lists/listinfo/sa-exim > > > > -- > "A mouse is a device used to point at the xterm you want to type in" - A.S.R. > Microsoft is to operating systems & security .... > .... what McDonalds is to gourmet cooking > Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key > From Nigel.Metheringham at dev.InTechnology.co.uk Thu Nov 27 09:42:47 2003 From: Nigel.Metheringham at dev.InTechnology.co.uk (Nigel Metheringham) Date: Thu Nov 27 01:43:06 2003 Subject: [SA-exim] SA-Exim vs. ExiScan - at an initial glance In-Reply-To: <1069885838.1663.29.camel@knausen> References: <1069885838.1663.29.camel@knausen> Message-ID: <1069926166.14413.17.camel@angua.localnet> On Wed, 2003-11-26 at 22:30, Tor Slettnes wrote: > Specifically, from a superficial glance, these are the strengths of > ExiScan (as compared to SA-Exim): Actually the one reason I have Sa-Exim in use (as well as exiscan) is:- * SA-Exim can modify the message to add SpamAssassin's body markup and original message encapsulation. I do wonder how easy it would be to take a message that has header markup only and encapsulate it, producing the SA body report - this could easily be done in a transport if the basic encapsulator was available without a full re-run of SA. Nigel. -- [ Nigel Metheringham Nigel.Metheringham@InTechnology.co.uk ] [ - Comments in this message are my own and not ITO opinion/policy - ] From chris at eng.gla.ac.uk Thu Nov 27 11:02:46 2003 From: chris at eng.gla.ac.uk (Chris Edwards) Date: Thu Nov 27 07:52:47 2003 Subject: [SA-exim] Re: [Exim] SA-Exim vs. ExiScan - at an initial glance In-Reply-To: <1069885838.1663.29.camel@knausen> References: <1069885838.1663.29.camel@knausen> Message-ID: On Wed, 26 Nov 2003, Tor Slettnes wrote: | o Preservation of SA's headers, such as 'X-Spam-Status'; useful to | keep in EXIM's "rejectlog". (ExiScan provides $spam_report, which | can be added in a header, but there seems to be no way to get the | "short" spam analysis (SA's _TESTS_ macro) logged using ExiScan). We use exiscan and write $spam_report into the headers: warn message = X-GLA-Spam-Score: $spam_score ($spam_bar)\n\ X-GLA-Spam-Report: $spam_report SA's report is far too verbose by default, so our SA local.cf has: clear_report_template report _SUMMARY_ The result looks like: X-GLA-Spam-Report: 0.7 HTML_50_60 BODY: Message is 50% to 60% HTML 0.3 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 0.1 CLICK_BELOW Asks you to click below which finds its way into the rejectlog if the mail is rejected. If you want e.g. SA's _TESTS_ macro then use "report _TESTS_" instead. -- Chris Edwards, Glasgow University Computing Service From marc_news at merlins.org Fri Nov 28 08:41:05 2003 From: marc_news at merlins.org (Marc MERLIN) Date: Fri Nov 28 08:41:08 2003 Subject: [SA-exim] Re: [Exim] SA-Exim vs. ExiScan - at an initial glance In-Reply-To: <1069926166.14413.17.camel@angua.localnet> <1069885838.1663.29.camel@knausen> References: <1069885838.1663.29.camel@knausen> <1069885838.1663.29.camel@knausen> <1069926166.14413.17.camel@angua.localnet> <1069885838.1663.29.camel@knausen> <1069885838.1663.29.camel@knausen> Message-ID: <20031128164105.GI19719@merlins.org> On Wed, Nov 26, 2003 at 02:30:38PM -0800, Tor Slettnes wrote: > Specifically, from a superficial glance, these are the strengths of > ExiScan (as compared to SA-Exim): Exiscan is a versatile virus scanner that also has the basic functionality of sa-exim. If you're collecting protection money from windows users, that's the one you want :) If you're just interested in spam checking and rejection, sa-exim will probably offer you more options. > the ExiScan statements are even reached (whereas SA-Exim is launched > on every message, and its configuration needs a separate conditional > statement if one does not wish to scan messages from certain hosts, say). That's true, although sa-exim is really in memory already. Exim makes a call to its function and it returns right away. In real life, it's about the same. > o Allows more flexibility in routing, accepting, rejecting messages > based on SA's score (through the 'spam' driver which evaluates to While you would do it a bit differently, you can do the same with sa-exim > o Does not modify the original message unless told to (SA is processing > a copy of the message). This may be a disadvantage too; see below. Actually with sa-exim, it's the same: sa-exim just copies a few headers back to the original message headers (admittedly you can't turn it off there, since it's trivial to use header_remove on the ones you don't want), and sa-exim optionally can modify the body which is a must if you use report_safe. > o Talks to 'spamd' directly, rather than launching 'spamc' do do so > (should reduce process creation overhead a little..) Right. sa-exim should probably do that too. The only reason I haven't is that the speed improvements are probably very very small vs running SA anyway, and that running spamc lets you change the spamc/spamd pair without recompiling sa-exim (which is a clear advantage when you manage a system with precompiled packages) > In any case - both of these are really, really powerful Exim add-ons; > nobody should live without them. :^} The good news is that you can also run both :) On Wed, Nov 26, 2003 at 04:40:21PM -0600, Coax wrote: > If you do anything in the ACL subsystem, teergrubing is available. Its > just a call to 'delay'. :) This is not real teergrubing. A delay does not send any data to the sender. teergrubing sends data to make the other side keep listening as long as you can. > That said, sa-exim was written in a different way than ExiScan. Marc's > takes advantage of replacing the local_scan function.. There are bound to > be pro's and con's to doing it EITHER way.. The obvious pro is that you don't need to upgrade sa-exim with every version of exim. The con is that exiscan hooks in directly inside exim and has more access than sa-exim does (although in real life, sa-exim can do what it needs through the local_scan interface) On Thu, Nov 27, 2003 at 09:42:47AM +0000, Nigel Metheringham wrote: > I do wonder how easy it would be to take a message that has header > markup only and encapsulate it, producing the SA body report - this > could easily be done in a transport if the basic encapsulator was > available without a full re-run of SA. That would indeed be an intersting project :) Marc -- "A mouse is a device used to point at the xterm you want to type in" - A.S.R. Microsoft is to operating systems & security .... .... what McDonalds is to gourmet cooking Home page: http://marc.merlins.org/ | Finger marc_f@merlins.org for PGP key