Results 1 to 6 of 6

Thread: Help with spamassassin needed please

  1. #1
    Join Date
    Nov 2010
    Location
    Michigan
    Posts
    19
    Rep Power
    5

    Default Help with spamassassin needed please

    I have done some reading, but still do not understand this fully as I cannot tell what mine is doing. Here is a snippet of an obvious spam:

    X-Virus-Scanned: amavisd-new at mymail.mydomain.com
    X-Spam-Flag: NO
    X-Spam-Score: 1.043
    X-Spam-Level: *
    X-Spam-Status: No, score=1.043 tagged_above=-10 required=3
    tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_28=1.404,
    HTML_IMAGE_RATIO_02=0.437, HTML_MESSAGE=0.001,
    MPART_ALT_DIFF_COUNT=1.112, RCVD_IN_DNSWL_NONE=-0.0001,
    SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no

    I am confused by the BAYES_00=-1.19 score. Where is it defined to user Bayes_00? I looked in /opt/zimbra/conf/local.cf and this is what is in there:
    Code:
    # This is the right place to customize your installation of SpamAssassin.
    #
    # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
    # tweaked.
    #
    # Only a small subset of options are listed below
    #
    ###########################################################################
    
    #   Add *****SPAM***** to the Subject header of spam e-mails
    #
    # rewrite_header Subject *****SPAM*****
    
    
    #   Save spam messages as a message/rfc822 MIME attachment instead of
    #   modifying the original message (0: off, 2: use text/plain instead)
    #
    # report_safe 1
    
    
    #   Set which networks or hosts are considered 'trusted' by your mail
    #   server (i.e. not spammers)
    #
    # trusted_networks 212.17.35.
    
    
    #   Set file-locking method (flock is not safe over NFS, but is faster)
    #
    # lock_method flock
    
    
    #   Set the threshold at which a message is considered spam (default: 5.0)
    #
    # required_score 5.0
    
    
    #   Use Bayesian classifier (default: 1)
    #
    use_bayes 1
    #   Bayesian classifier auto-learning (default: 1)
    #
    # bayes_auto_learn 1
    
    
    #   Set headers which may provide inappropriate cues to the Bayesian
    #   classifier
    #
    # bayes_ignore_header X-Bogosity
    # bayes_ignore_header X-Spam-Flag
    # bayes_ignore_header X-Spam-Status
    
    
    #   Some shortcircuiting, if the plugin is enabled
    # 
    ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
    #
    #   default: strongly-whitelisted mails are *really* whitelisted now, if the
    #   shortcircuiting plugin is active, causing early exit to save CPU load.
    #   Uncomment to turn this on
    #
    # shortcircuit USER_IN_WHITELIST       on
    # shortcircuit USER_IN_DEF_WHITELIST   on
    # shortcircuit USER_IN_ALL_SPAM_TO     on
    # shortcircuit SUBJECT_IN_WHITELIST    on
    
    #   the opposite; blacklisted mails can also save CPU
    #
    # shortcircuit USER_IN_BLACKLIST       on
    # shortcircuit USER_IN_BLACKLIST_TO    on
    # shortcircuit SUBJECT_IN_BLACKLIST    on
    
    #   if you have taken the time to correctly specify your "trusted_networks",
    #   this is another good way to save CPU
    #
    # shortcircuit ALL_TRUSTED             on
    
    #   and a well-trained bayes DB can save running rules, too
    #
    # shortcircuit BAYES_99                spam
    # shortcircuit BAYES_00                ham
    
    endif # Mail::SpamAssassin::Plugin::Shortcircuit
    and this one:
    X-Virus-Scanned: amavisd-new at mail.mailserver.com
    X-Spam-Flag: NO
    X-Spam-Score: -4.633
    X-Spam-Level:
    X-Spam-Status: No, score=-4.633 tagged_above=-10 required=3
    tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377,
    HTML_TAG_BALANCE_BODY=1.157, MIME_HTML_ONLY=0.723,
    RCVD_IN_RP_CERTIFIED=-3, RCVD_IN_RP_SAFE=-2, SPF_PASS=-0.001,
    T_REMOTE_IMAGE=0.01] autolearn=ham


    Which is an obvious html spam.

    From what I see in conf., pretty much everything is commented out. If that is the case where is it getting the information to run any tests at all? "use_bayes 1" I just uncommented a few minutes ago, but it seems it was using it all along anyway, except I cannot understand the large negative scores. Any help would be appreciated.
    Release 7.1.1_GA_3196.SLES11_64_20110527115356 SLES11_64 NETWORK edition.

  2. #2
    Join Date
    Nov 2010
    Location
    Michigan
    Posts
    19
    Rep Power
    5

    Default

    I have noticed that all of my e-mail is coming though BAYES_00, which is giving a -1.9. I took a look at spamassassin and ran ./sa-learn --dump magic. Returned error to use the -D option. When run with the -D option, I get a long list with this near the bottom:
    Code:
    Oct 12 15:12:24.595 [22071] dbg: bayes: no dbs present, cannot tie DB R/O: /opt/zimbra/amavisd/.spamassassin/bayes_toks
    So I ran this:
    ./sa-learn --dump magic --dbpath /opt/zimbra/amavisd/.spamassassin/ and got the same result of cannot tie to DB. I am still researching, but if someone could help I would appreciate it.
    Release 7.1.1_GA_3196.SLES11_64_20110527115356 SLES11_64 NETWORK edition.

  3. #3
    Join Date
    Nov 2010
    Location
    Michigan
    Posts
    19
    Rep Power
    5

    Default

    Since I guess I am working this on my own, I will just keep doing so, maybe it will help someone in the future. I was able to get dump magic to work with the Zimbra user:
    Code:
    ./sa-learn --dump magic --dbpath /opt/zimbra/data/amavisd/.spamassassin
    That returned this:
    Code:
    0.000          0          3          0  non-token data: bayes db version
    0.000          0      21203          0  non-token data: nspam
    0.000          0     451084          0  non-token data: nham
    0.000          0     165516          0  non-token data: ntokens
    0.000          0 1349926206          0  non-token data: oldest atime
    0.000          0 1350074328          0  non-token data: newest atime
    0.000          0 1350572253          0  non-token data: last journal sync atime
    0.000          0 1350061828          0  non-token data: last expiry atime
    0.000          0      86400          0  non-token data: last expire atime delta
    0.000          0      75986          0  non-token data: last expire reduction count
    So, apparently I have quite a bit of spam/ham messages in the db. From some fiddling I was doing, I guess I broke the bayes scoring portion since it is no longer in my e-mail headers. Here is the output of /opt/zimbra/conf/local.cf:
    Code:
    # This is the right place to customize your installation of SpamAssassin.
    #
    # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
    # tweaked.
    #
    # Only a small subset of options are listed below
    #
    ###########################################################################
    
    #   Add *****SPAM***** to the Subject header of spam e-mails
    #
    # rewrite_header Subject *****SPAM*****
    
    
    #   Save spam messages as a message/rfc822 MIME attachment instead of
    #   modifying the original message (0: off, 2: use text/plain instead)
    #
    # report_safe 1
    
    
    #   Set which networks or hosts are considered 'trusted' by your mail
    #   server (i.e. not spammers)
    #
    # trusted_networks 212.17.35.
    
    
    #   Set file-locking method (flock is not safe over NFS, but is faster)
    #
    # lock_method flock
    
    
    #   Set the threshold at which a message is considered spam (default: 5.0)
    #
    # required_score 5.0
    
    
    #   Use Bayesian classifier (default: 1)
    #
    use_bayes 1
    #   Bayesian classifier auto-learning (default: 1)
    #
    bayes_auto_learn 1
    
    
    #   Set headers which may provide inappropriate cues to the Bayesian
    #   classifier
    #
    # bayes_ignore_header X-Bogosity
    # bayes_ignore_header X-Spam-Flag
    # bayes_ignore_header X-Spam-Status
    
    
    #   Some shortcircuiting, if the plugin is enabled
    # 
    ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
    #
    #   default: strongly-whitelisted mails are *really* whitelisted now, if the
    #   shortcircuiting plugin is active, causing early exit to save CPU load.
    #   Uncomment to turn this on
    #
    # shortcircuit USER_IN_WHITELIST       on
    # shortcircuit USER_IN_DEF_WHITELIST   on
    # shortcircuit USER_IN_ALL_SPAM_TO     on
    # shortcircuit SUBJECT_IN_WHITELIST    on
    
    #   the opposite; blacklisted mails can also save CPU
    #
    # shortcircuit USER_IN_BLACKLIST       on
    # shortcircuit USER_IN_BLACKLIST_TO    on
    And here is the output from salocal.cf
    Code:
    # This is the right place to customize your installation of SpamAssassin.
    #
    # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
    # tweaked.
    #
    ###########################################################################
    #
    # rewrite_header Subject *****SPAM*****
    # report_safe 1
    # trusted_networks 212.17.35.
    # lock_method flock
    
    header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
    describe DSPAM_SPAM DSPAM claims it is spam
    score DSPAM_SPAM 1.5
    
    header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
    describe DSPAM_HAM DSPAM claims it is ham
    score DSPAM_HAM -0.5
    
    trusted_networks 127.0.0.0/8 10.99.0.0/16 192.168.254.0/24
    lock_method flock
    # accept email from zimbra support and forumns
    def_whitelist_from_rcvd noreply@zimbra.com zimbra.com
    def_whitelist_from_rcvd support@zimbra.com zimbra.com
    
    rewrite_header Subject *SPAM* _STARS(*)_
    bayes_auto_learn 1
    bayes_min_spam_num 60
    bayes_min_ham_num 60
    
    
    bayes_store_module              Mail::SpamAssassin::BayesStore::MySQL
    bayes_sql_dsn                   DBI:mysql:zimbra_antispam:host=127.0.0.1:port=7308
    bayes_sql_username              zimbra
    bayes_sql_password
    
    clear_headers
    add_header spam Flag _YESNOCAPS_
    add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
    add_header all Level _STARS(*)_
    add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_
    An apparently there is another config file that comes into play called salocal.cf.in. Here is where I believe my problem may have been. There was no use_bayes 1 line in this config file:
    Code:
    # This is the right place to customize your installation of SpamAssassin.
    #
    # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
    # tweaked.
    #
    ###########################################################################
    #
    # rewrite_header Subject *****SPAM*****
    # report_safe 1
    # trusted_networks 212.17.35.
    # lock_method flock
    
    header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
    describe DSPAM_SPAM DSPAM claims it is spam
    score DSPAM_SPAM 1.5
    
    header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
    describe DSPAM_HAM DSPAM claims it is ham
    score DSPAM_HAM -0.5
    
    %%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%%
    %%uncomment VAR:zimbraMtaAntiSpamLockMethod%%lock_method %%zimbraMtaAntiSpamLockMethod%%
    Method%%
    
    # accept email from zimbra support and forumns
    def_whitelist_from_rcvd noreply@zimbra.com zimbra.com
    def_whitelist_from_rcvd support@zimbra.com zimbra.com
    
    rewrite_header Subject *SPAM* _STARS(*)_
    bayes_auto_learn 1
    bayes_min_spam_num 60
    bayes_min_ham_num 60
    
    
    %%uncomment LOCAL:antispam_mysql_enabled%%bayes_store_module              Mail::SpamAssassin::BayesStore::MySQL
    %%uncomment LOCAL:antispam_mysql_enabled%%bayes_sql_dsn                   DBI:mysql:zimbra_antispam:host=@@antispam_mysql_host@@:port=@@antispam_mysql_port@@
    %%uncomment LOCAL:antispam_mysql_enabled%%bayes_sql_username              @@antispam_mysql_user@@
    %%uncomment LOCAL:antispam_mysql_enabled%%bayes_sql_password              @@antispam_mysql_password@@
    
    clear_headers
    add_header spam Flag _YESNOCAPS_
    add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
    add_header all Level _STARS(*)_
    add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_
    So I added the line in salocal.cf.in and am doing zmcontrol restart.

    My next issue is to assess the bayes scoring, since it always scores as bayes_00 even if it was an obvious spam, which drags the whole score down. That may lead me to believe that the info provided to the bayes db may not be very good. I will research this more.
    Release 7.1.1_GA_3196.SLES11_64_20110527115356 SLES11_64 NETWORK edition.

  4. #4
    Join Date
    Nov 2010
    Location
    Michigan
    Posts
    19
    Rep Power
    5

    Default

    From what I can gather, my bayes db seems to be working fine, except I cannot get it to show back in the header of my e-mail. I tried to enable dspam but that seemed to flag everything as spam. So I am back trying to get bayes to work. I checked my salocal.cf and salocal.cf.in and they both have use_bayes 1. I also check /opt/zimbra/conf/spamassassin/local.cf and that also has use_bayes 1. I have stopped and restarted all Zimbra services. I am not sure how to proceed ti get it to show up again. Any help? Here are my configs:

    Code:
    salocal.cf
    
    # This is the right place to customize your installation of SpamAssassin.
    #
    # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
    # tweaked.
    #
    ###########################################################################
    #
    # rewrite_header Subject *****SPAM*****
    # report_safe 1
    # trusted_networks 212.17.35.
    # lock_method flock
    
    header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
    describe DSPAM_SPAM DSPAM claims it is spam
    score DSPAM_SPAM 1.5
    
    header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
    describe DSPAM_HAM DSPAM claims it is ham
    score DSPAM_HAM -0.5
    
    trusted_networks 127.0.0.0/8 10.99.0.0/16 192.168.254.0/24
    lock_method flock
    
    # accept email from zimbra support and forumns
    def_whitelist_from_rcvd noreply@zimbra.com zimbra.com
    def_whitelist_from_rcvd support@zimbra.com zimbra.com
    
    rewrite_header Subject *SPAM* _STARS(*)_
    use_bayes 1
    bayes_auto_learn 1
    bayes_min_spam_num 60
    bayes_min_ham_num 60
    
    
    bayes_store_module              Mail::SpamAssassin::BayesStore::MySQL
    bayes_sql_dsn                   DBI:mysql:zimbra_antispam:host=127.0.0.1:port=7308
    bayes_sql_username              zimbra
    bayes_sql_password              
    
    clear_headers
    add_header spam Flag _YESNOCAPS_
    add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
    add_header all Level _STARS(*)_
    add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_
    Here is local.cf which is largely commented out
    Code:
    # This is the right place to customize your installation of SpamAssassin.
    #
    # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
    # tweaked.
    #
    # Only a small subset of options are listed below
    #
    ###########################################################################
    
    #   Add *****SPAM***** to the Subject header of spam e-mails
    #
    # rewrite_header Subject *****SPAM*****
    
    
    #   Save spam messages as a message/rfc822 MIME attachment instead of
    #   modifying the original message (0: off, 2: use text/plain instead)
    #
    # report_safe 1
    
    
    #   Set which networks or hosts are considered 'trusted' by your mail
    #   server (i.e. not spammers)
    #
    # trusted_networks 212.17.35.
    
    
    #   Set file-locking method (flock is not safe over NFS, but is faster)
    #
    # lock_method flock
    
    
    #   Set the threshold at which a message is considered spam (default: 5.0)
    #
    # required_score 5.0
    
    
    #   Use Bayesian classifier (default: 1)
    #
    use_bayes 1
    #   Bayesian classifier auto-learning (default: 1)
    #
    bayes_auto_learn 1 
    
    
    #   Set headers which may provide inappropriate cues to the Bayesian
    #   classifier
    #
    # bayes_ignore_header X-Bogosity
    # bayes_ignore_header X-Spam-Flag
    # bayes_ignore_header X-Spam-Status
    
    
    #   Some shortcircuiting, if the plugin is enabled
    # 
    ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
    #
    #   default: strongly-whitelisted mails are *really* whitelisted now, if the
    #   shortcircuiting plugin is active, causing early exit to save CPU load.
    #   Uncomment to turn this on
    #
    # shortcircuit USER_IN_WHITELIST       on
    # shortcircuit USER_IN_DEF_WHITELIST   on
    # shortcircuit USER_IN_ALL_SPAM_TO     on
    # shortcircuit SUBJECT_IN_WHITELIST    on
    
    #   the opposite; blacklisted mails can also save CPU
    #
    # shortcircuit USER_IN_BLACKLIST       on
    # shortcircuit USER_IN_BLACKLIST_TO    on
    # shortcircuit SUBJECT_IN_BLACKLIST    on
    
    #   if you have taken the time to correctly specify your "trusted_networks",
    #   this is another good way to save CPU
    #
    # shortcircuit ALL_TRUSTED             on
    
    #   and a well-trained bayes DB can save running rules, too
    #
    # shortcircuit BAYES_99                spam
    # shortcircuit BAYES_00                ham
    
    endif # Mail::SpamAssassin::Plugin::Shortcircuit
    I am going to look for a vanilla copy of both files, even though mine may be or very close to originals anyway. Any reason anyone can think of why it would be in the email header would be a big help.
    Release 7.1.1_GA_3196.SLES11_64_20110527115356 SLES11_64 NETWORK edition.

  5. #5
    Join Date
    Nov 2010
    Location
    Michigan
    Posts
    19
    Rep Power
    5

    Default


    With my tinkering and attempt to learn how this all works together, I am only left to surmise that I changed use_bayes 1 to use_bayes 0 at some point, and changed it back. However, I did not get the bayes filtering back. Even though I checked salocal.cf.in, salocal.cf. and local.cf, at this point all have use_bayes 1. I have stopped and restarted all services and still no bayes. Spamassassin is working, I am also using RBL's. Where can I look to see what is going on with bayes and how I can make it work again?
    Release 7.1.1_GA_3196.SLES11_64_20110527115356 SLES11_64 NETWORK edition.

  6. #6
    Join Date
    Nov 2010
    Location
    Michigan
    Posts
    19
    Rep Power
    5

    Default

    Ok, well, this is odd. I noticed in my zmlocalconfig that mysql was enabled, which I do not recall enabling. So I looked up how to revert back to the default db, so I did that and then restarted all services. Voila, Bayes is now back in my email header. So, it looks like it was the mysql setting to TRUE, which I changed back to FALSE. Maybe all this blabbering will help someone some day.
    Release 7.1.1_GA_3196.SLES11_64_20110527115356 SLES11_64 NETWORK edition.

Similar Threads

  1. Ask spamassassin amavisd-N
    By thaianh in forum Administrators
    Replies: 0
    Last Post: 10-08-2012, 07:31 PM
  2. API for SPAMASSASSIN
    By abhiz in forum Administrators
    Replies: 1
    Last Post: 02-07-2011, 03:39 AM
  3. Spamassassin
    By vmir-inter in forum Administrators
    Replies: 4
    Last Post: 10-01-2010, 04:19 AM
  4. SpamAssassin
    By PNE in forum Administrators
    Replies: 8
    Last Post: 03-07-2006, 07:35 AM
  5. Why Spamassassin
    By phoenix in forum Users
    Replies: 5
    Last Post: 10-09-2005, 09:49 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •