headers
Arshavir Grigorian | 3 Aug 2004 18:03

Re: razor logs

On Fri, 2004-07-30 at 16:10, Matt Kettler wrote:
> At 08:01 PM 7/28/2004, Arshavir Grigorian wrote:
> >I have the name of Razor's config file 
> >(/var/lib/amavis/.razor/razor_agent.conf) in SpamAssassin's config file
> >(/etc/mail/spamassassin/local.cf - razor_config 
> >/var/lib/amavis/.razor/razor_agent.conf).
> >And I have the debuglevel in razor_agent.conf set to 15, but I still 
> >nothing in the log file.
> >
> >I also tried putting razor_debuglevel = 15\n razor_logfile = 
> >razor-agent.conf into SpamAssassin's local.cf, but that didn't seem to 
> >help either.
> >Neither razor-agent.conf nor /var/lib/maillog (where amavis logs it's 
> >output) show any Razor messages.
> 
> SpamAssassin tips:
> 
> 1) do NOT put razor config commands into SA's local.cf. That's an error, 
> and SA might ignore your entire local.cf if the parser doesn't recover 
> gracefully.
> 2) always run spamassassin --lint after editing local.cf. If it complains, 
> fix the problem.
> 3) you may set the razor_config in local.cf, that's a valid SA option, but 
> don't try putting razor_debuglevel or razor_logfile commands in there. 
> Those latter two don't exist.
> 
> 
> Razor tips:
> 
> 1) do not set your razor_logfile to razor-agent.conf. Razor should,
(Continue reading)

Permalink | Reply | 0 comments |
headers
Fraser Morrison | 4 Aug 2004 14:40
Picon
Favicon

Hotmail & Yahoo Footers

Good Day,

I am new to Linux and Spam Assassin so please bear with me. We have Spam Assassin installed and working well
with the exception of how it handles Hotmail and Yahoo messages. From what I can tell it is automatically
tagging all messages from these two sources as spam. I have noticed as shown below that the RAZOR2_CHECK
has given the message 5 points. The limit I have setup for being tagged is 5 points. The header below is from a
legitimate mesSeptember would like it to have gotten through fine without being tagged. 

*****
X-Spam-Score: 6.1 (++++++)
X-Spam-Report: Spam detection software, running on the system "apsea.ednet.ns.ca", has dentified this
incoming email as possible spam.  The original message has been attached to this so you can view it (if it
isn't spam) or block similar future email.  If you have any questions, see postmaster <at> apsea.ca for details.
	Content preview:  --0-179324564-1082401212=:98964 Content-Type:
	text/plain; charset=us-ascii Do you Yahoo!? Yahoo! Photos: High-quality
	4x6 digital prints for 25¢ --0-179324564-1082401212=:98964
	Content-Type: text/html; charset=us-ascii [...] 
	Content analysis details:   (6.1 points, 5.0 required)
	pts rule name              description
	---- ---------------------- --------------------------------------------------
	0.0 HTML_MESSAGE           BODY: HTML included in message
	0.5 HTML_20_30             BODY: Message is 20% to 30% HTML
	0.6 RAZOR2_CF_RANGE_11_50  BODY: Razor2 gives confidence between 11 and 50
	[cf:  20]
	5.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
	0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
	[142.166.250.74 listed in dnsbl.sorbs.net]
X-ACL-Warn: X-Probable-SPAM
Subject: *** Probable SPAM:    Transition Meeting Minutes for Lee Ann Best ***
(Continue reading)

Permalink | Reply | 1 comment |
headers
Matt Kettler | 4 Aug 2004 16:56

Re: Hotmail & Yahoo Footers

Might I ask what version of SA you're using? What does your local.cf look like?

No version of SA that I'm aware of has a default score of 5.0 for 
RAZOR2_CHECK, and 5.0 is definitely way too high.

The default scores of a few versions:
2.63:
score RAZOR2_CHECK 0 0.899 0 1.047

3.0-pre1 and 3.0-pre2:
score RAZOR2_CHECK 0 0.753 0 0.626

None of these even begins to approach 5.0

At 08:40 AM 8/4/2004, Fraser Morrison wrote:
>I am new to Linux and Spam Assassin so please bear with me. We have Spam 
>Assassin installed and working well with the exception of how it handles 
>Hotmail and Yahoo messages. From what I can tell it is automatically 
>tagging all messages from these two sources as spam. I have noticed as 
>shown below that the RAZOR2_CHECK has given the message 5 points. The 
>limit I have setup for being tagged is 5 points. The header below is from 
>a legitimate mesSeptember would like it to have gotten through fine 
>without being tagged.
>
>*****
>X-Spam-Score: 6.1 (++++++)
>X-Spam-Report: Spam detection software, running on the system 
>"apsea.ednet.ns.ca", has dentified this incoming email as possible 
>spam.  The original message has been attached to this so you can view it 
>(if it isn't spam) or block similar future email.  If you have any
(Continue reading)

Permalink | Reply | 0 comments |
headers
Dörfler Andreas | 5 Aug 2004 14:10
Picon
Favicon

log problem

hi there,

got a little problem with razor 2.61.
(running on suse 9.1 with postfix, 
spamassassin, mailscanner)

everytime when i start postfix i get 
the following error:

postfix/postsuper[12018]: warning: bogus file name: hold/razor-agent.log

the logfile whas created by razor in
/var/spool/postfix/hold/
i already killed it there an set up a sym link
lrwxrwxrwx   1 postfix root     18 Aug  5 08:00 razor-agent.log ->
/var/log/razor.log

next was a sym link in /root
lrwxrwxrwx   1 root  root        11 Aug  4 15:27 .razor -> /etc/razor/

razor-agent.conf:
razor_logfile          = /var/log/razor.log

then a new env with setenv:
razor_logfile=/var/log/razor.log

tried razor-admin -logfile=/var/log/razor.log
but
razor-admin -logfile=/var/log/razor.log
An option needs to be specified,  -h for help.
(Continue reading)

Permalink | Reply | 1 comment |
headers
Torsten Vielhak | 6 Aug 2004 13:24

Failover?


Hi,

obviously one of the catalogue servers (pride.cloudmark.com) is down:

# telnet pride.cloudmark.com 2703
Trying 66.151.150.33...
telnet: Unable to connect to remote host: Connection refused


# telnet thrill.cloudmark.com 2703
Trying 66.151.150.29...
Connected to thrill.cloudmark.com.
Escape character is '^]'.
sn=C&srl=5030&a=l&a=cg&ep4=7542-10


Is there a failover mechanism in the razor-agents? We use a SOCKS-Proxy to connect and
if I read the source right the following happens during a razor-check (we use it in combination
with mime-defang and spamassassin):

1. Connect to proxy
2. Try to connect to the first catalogue server (first in the servers.catalogue.lst)
3. If 3 does not work, try it directly (without proxy)?!?! Strange behaviour ;-)
4. Since 3 will not work (I think it will not work in 99% of all environments), choose the
   next server in the list (if there is one) and go to 1.

BUT the failover to the new server is NOT written to disk. So the next check will do the
same thing again (fail on the first server => try directly => TIMEOUT => next server).
This will slow down the machine and mail processing and produces unnecessary network traffic.

Did I miss something or is this a "bug" / feature request?


PS: Manual deletion of pride.cloudmark.com in servers.catalogue.lst works.... until a new discovery (default 2 days)


Best regards

Torsten Vielhak 
Important Note 
This email and any attachment hereto are confidential and may contain trade secrets or may be otherwise
protected from disclosure. If you have received it in error you are in 
notice of this fact. Please notify us immediately by reply email and then delete this email and any
attachment from your system. Please understand that you are not allowed to 
copy this email or any attachment hereto or disclose its contents to any other person. Thank you.

Wichtiger Hinweis 
Diese E-Mail und etwaige Anlagen koennen Betriebs- oder Geschaeftsgeheimnisse oder sonstige
vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtuemlich erhalten
haben, ist Ihnen dieser Umstand hiermit bekannt. Bitte benachrichtigen Sie uns in diesem Fall umgehend
durch Ruecksendung der E-Mail und loeschen Sie diese E-Mail einschließ-
lich etwaiger Anlagen von Ihrem System. Diese E-Mail und ihre Anlagen duerfen weiterhin nicht kopiert
oder an Dritte weitergegeben werden. Vielen Dank.
Permalink | Reply | 0 comments |
headers
Fraser Morrison | 6 Aug 2004 14:09
Picon
Favicon

Re: Razor-users digest, Vol 1 #843 - 2 msgs

Matt,

We are using version 2.6.3. I have pasted our local.cf file below:

# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
###########################################################################
#
# rewrite_subject 0
# report_safe 1
# trusted_networks 212.17.35.
required_hits 5
score RAZOR2_CHECK 5
ok_languages en fr
ok_locales en fr

Fraser

Message: 2
Date: Wed, 04 Aug 2004 10:56:34 -0400
To: "Fraser Morrison" <morrisonf <at> apsea.ca>,
   <razor-users <at> lists.sourceforge.net>
From: Matt Kettler <mkettler <at> evi-inc.com>
Subject: Re: [Razor-users] Hotmail & Yahoo Footers

Might I ask what version of SA you're using? What does your local.cf look=
 like?

No version of SA that I'm aware of has a default score of 5.0 for=20
RAZOR2_CHECK, and 5.0 is definitely way too high.

The default scores of a few versions:
2.63:
score RAZOR2_CHECK 0 0.899 0 1.047

3.0-pre1 and 3.0-pre2:
score RAZOR2_CHECK 0 0.753 0 0.626

None of these even begins to approach 5.0

At 08:40 AM 8/4/2004, Fraser Morrison wrote:
>I am new to Linux and Spam Assassin so please bear with me. We have Spam=20
>Assassin installed and working well with the exception of how it handles=20
>Hotmail and Yahoo messages. From what I can tell it is automatically=20
>tagging all messages from these two sources as spam. I have noticed as=20
>shown below that the RAZOR2_CHECK has given the message 5 points. The=20
>limit I have setup for being tagged is 5 points. The header below is from=
=20
>a legitimate mesSeptember would like it to have gotten through fine=20
>without being tagged.
>
>*****
>X-Spam-Score: 6.1 (++++++)
>X-Spam-Report: Spam detection software, running on the system=20
>"apsea.ednet.ns.ca", has dentified this incoming email as possible=20
>spam.  The original message has been attached to this so you can view it=20
>(if it isn't spam) or block similar future email.  If you have any=20
>questions, see postmaster <at> apsea.ca for details.
>         Content preview:  --0-179324564-1082401212=3D:98964 Content-Type:
>         text/plain; charset=3Dus-ascii Do you Yahoo!? Yahoo! Photos:=20
> High-quality
>         4x6 digital prints for 25=A2 --0-179324564-1082401212=3D:98964
>         Content-Type: text/html; charset=3Dus-ascii [...]
>         Content analysis details:   (6.1 points, 5.0 required)
>         pts rule name              description
>         ---- ----------------------=20
> --------------------------------------------------
>         0.0 HTML_MESSAGE           BODY: HTML included in message
>         0.5 HTML_20_30             BODY: Message is 20% to 30% HTML
>         0.6 RAZOR2_CF_RANGE_11_50  BODY: Razor2 gives confidence between=
=20
> 11 and 50
>         [cf:  20]
>         5.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
>         0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
>         [142.166.250.74 listed in dnsbl.sorbs.net]

--__--__--

_______________________________________________
Razor-users mailing list
Razor-users <at> lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/razor-users 

End of Razor-users Digest

Fraser Morrison
LAN Administrator/Adaptive Specialist
Atlantic Provinces Special Education Authority
5940 South Street
Halifax  Nova Scotia
Canada
B3H 1S6

Phone: (902)-424-2172
Fax:      (902)-424-6421
Email: morrisonf <at> apsea.ca
Web:   www.apsea.ca

-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
Permalink | Reply | 502 comments |
headers
Mike Burger | 6 Aug 2004 16:18

Re: Re: Razor-users digest, Vol 1 #843 - 2 msgs

FWIW, I've done the same as Fraser, scoring Razor at 5, primarily because 
I trust it.

I used to automatically drop Razor scored mail into the bitbucket, but 
noticed, pre-current Razor version, I was getting more FPs than I used 
to...so now, I verify them, first...but I still score them that way.

On Fri, 6 Aug 2004, Fraser Morrison wrote:

> Matt,
> 
> We are using version 2.6.3. I have pasted our local.cf file below:
> 
> # This is the right place to customize your installation of SpamAssassin.
> #
> # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
> # tweaked.
> #
> ###########################################################################
> #
> # rewrite_subject 0
> # report_safe 1
> # trusted_networks 212.17.35.
> required_hits 5
> score RAZOR2_CHECK 5
> ok_languages en fr
> ok_locales en fr
> 
> 
> Fraser
> 
> 
> Message: 2
> Date: Wed, 04 Aug 2004 10:56:34 -0400
> To: "Fraser Morrison" <morrisonf <at> apsea.ca>,
>    <razor-users <at> lists.sourceforge.net>
> From: Matt Kettler <mkettler <at> evi-inc.com>
> Subject: Re: [Razor-users] Hotmail & Yahoo Footers
> 
> Might I ask what version of SA you're using? What does your local.cf look=
>  like?
> 
> No version of SA that I'm aware of has a default score of 5.0 for=20
> RAZOR2_CHECK, and 5.0 is definitely way too high.
> 
> The default scores of a few versions:
> 2.63:
> score RAZOR2_CHECK 0 0.899 0 1.047
> 
> 3.0-pre1 and 3.0-pre2:
> score RAZOR2_CHECK 0 0.753 0 0.626
> 
> None of these even begins to approach 5.0
> 
> 
> At 08:40 AM 8/4/2004, Fraser Morrison wrote:
> >I am new to Linux and Spam Assassin so please bear with me. We have Spam=20
> >Assassin installed and working well with the exception of how it handles=20
> >Hotmail and Yahoo messages. From what I can tell it is automatically=20
> >tagging all messages from these two sources as spam. I have noticed as=20
> >shown below that the RAZOR2_CHECK has given the message 5 points. The=20
> >limit I have setup for being tagged is 5 points. The header below is from=
> =20
> >a legitimate mesSeptember would like it to have gotten through fine=20
> >without being tagged.
> >
> >*****
> >X-Spam-Score: 6.1 (++++++)
> >X-Spam-Report: Spam detection software, running on the system=20
> >"apsea.ednet.ns.ca", has dentified this incoming email as possible=20
> >spam.  The original message has been attached to this so you can view it=20
> >(if it isn't spam) or block similar future email.  If you have any=20
> >questions, see postmaster <at> apsea.ca for details.
> >         Content preview:  --0-179324564-1082401212=3D:98964 Content-Type:
> >         text/plain; charset=3Dus-ascii Do you Yahoo!? Yahoo! Photos:=20
> > High-quality
> >         4x6 digital prints for 25=A2 --0-179324564-1082401212=3D:98964
> >         Content-Type: text/html; charset=3Dus-ascii [...]
> >         Content analysis details:   (6.1 points, 5.0 required)
> >         pts rule name              description
> >         ---- ----------------------=20
> > --------------------------------------------------
> >         0.0 HTML_MESSAGE           BODY: HTML included in message
> >         0.5 HTML_20_30             BODY: Message is 20% to 30% HTML
> >         0.6 RAZOR2_CF_RANGE_11_50  BODY: Razor2 gives confidence between=
> =20
> > 11 and 50
> >         [cf:  20]
> >         5.0 RAZOR2_CHECK           Listed in Razor2 (http://razor.sf.net/)
> >         0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
> >         [142.166.250.74 listed in dnsbl.sorbs.net]
> 
> 
> 
> 
> --__--__--
> 
> _______________________________________________
> Razor-users mailing list
> Razor-users <at> lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/razor-users 
> 
> 
> End of Razor-users Digest
> 
> Fraser Morrison
> LAN Administrator/Adaptive Specialist
> Atlantic Provinces Special Education Authority
> 5940 South Street
> Halifax  Nova Scotia
> Canada
> B3H 1S6
> 
> Phone: (902)-424-2172
> Fax:      (902)-424-6421
> Email: morrisonf <at> apsea.ca
> Web:   www.apsea.ca
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> Razor-users mailing list
> Razor-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/razor-users
> 

-- 
Mike Burger
http://www.bubbanfriends.org

Visit the Dog Pound II BBS
telnet://dogpound2.citadel.org or http://dogpound2.citadel.org

To be notified of updates to the web site, visit 
http://www.bubbanfriends.org/mailman/listinfo/site-update, or send a 
message to:

site-update-request <at> bubbanfriends.org

with a message of: 

subscribe

-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
Permalink | Reply | 501 comments |
headers
Lionel Bouton | 6 Aug 2004 16:44
Picon

razor-agents bug ?

Hi,

I discovered today that we had a problem here with spamassassin 2.63 and 
2.64 using razor-agents 2.61 :

Aug  6 16:28:05 ns02 spamd[26947]: razor2 check skipped: No such file or 
directory Can't locate auto/Digest/SHA1/reset.al in  <at> INC ( <at> INC contains: 
lib ../lib /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi 
/usr/lib/perl5/site_perl/5.8.0 
/usr/lib/perl5/5.8.0/i386-linux-thread-multi /usr/lib/perl5/5.8.0 
/usr/lib/perl5/site_perl 
/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi 
/usr/lib/perl5/vendor_perl/5.8.0 /usr/lib/perl5/vendor_perl) at 
/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/Razor2/Signature/Whiplash.pm 
line 66

This didn't occur on each message processing. Sometimes spamd could 
process the message without razor-agents complaining.

After looking into Digest::SHA1 and Whiplash.pm I noticed that 
Whiplash.pm called reset on a Digest::SHA1 object although it just 
called the hexdigest method which already resets the object upon completion.
It seems calling reset after digest or hexdigest is not only a waste of 
time, but also the source of the problem.

After commenting out the reset in Whiplash.pm (line 66) :

        my $sha1 = Digest::SHA1->new();
        $sha1->add($host);
        $sig = substr $sha1->hexdigest, 0, 12;

->      #$sha1 = Digest::SHA1->reset();
        $sha1->add($corrected_length);
        $sig .= substr $sha1->hexdigest, 0, 4;

        push  <at> sigs, $sig;
        $sig_meta{$sig} = [$host, $corrected_length];

everything is working fine here.

As I didn't found anything related to this, I post the problem and what 
I hope is the correct solution here,

Best regards,

--

-- 
Lionel Bouton - inet6
---------------------------------------------------------------------
   o              Siege social: 51, rue de Verdun - 92158 Suresnes
  /      _ __ _   Acces Bureaux: 33 rue Benoit Malon - 92150 Suresnes
 / /\  /_  / /_   France
 \/  \/_  / /_/   Tel. +33 (0) 1 41 44 85 36
  Inetsys S.A.    Fax  +33 (0) 1 46 97 20 10

-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
Permalink | Reply | 2 comments |
headers
Matt Kettler | 6 Aug 2004 17:33

Re: razor-agents bug ?

At 10:44 AM 8/6/2004, Lionel Bouton wrote:
>After looking into Digest::SHA1 and Whiplash.pm I noticed that Whiplash.pm 
>called reset on a Digest::SHA1 object although it just called the 
>hexdigest method which already resets the object upon completion.
>It seems calling reset after digest or hexdigest is not only a waste of 
>time, but also the source of the problem.
>
>After commenting out the reset in Whiplash.pm (line 66) :

My system works flawlessly with that line intact. While it might be a waste 
of time, I doubt it's a source of the problem. I'd take it as some possibly 
redundant code, but one that is pointing out a problem in your perl libs.

Any chance your copy of Digest::SHA1 is mangled? 

-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
Permalink | Reply | 1 comment |
headers
Matt Kettler | 6 Aug 2004 17:39

Re: Hotmail & Yahoo Footers

At 08:09 AM 8/6/2004, Fraser Morrison wrote:
>We are using version 2.6.3. I have pasted our local.cf file below:
>
># This is the right place to customize your installation of SpamAssassin.
>#
># See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
># tweaked.
>#
>###########################################################################
>#
># rewrite_subject 0
># report_safe 1
># trusted_networks 212.17.35.
>required_hits 5
>score RAZOR2_CHECK 5

The line above is why you're getting a score of 5.0 for razor.

I think that scoring 5.0 for razor is GROSSLY inappropriate, despite 
Loinel's opinion.

I've had numerous false positive problems with razor over the years. This 
doesn't make it a bad tool, but it does make it not worth 5.0 points for 
any razor hit.

The current incarnation of razor 2.61 is having some occasional FP problems 
due to the relative youth of the whiplash signature database in being used 
with Razor. This should even out over time, but for right now it's causing 
some problems due to lack of enough data points to cause the reports and 
revokes to properly average out.

Fix your local.cf to not assign such an abusurd (and yes, I do feel it's 
completely absurd) score to RAZOR2_CHECK. The default score should be fine. 
If you start having FN problems, you can go back to over-riding scores, but 
I'd suggest going back to the defaults until you have a feel for how it all 
works.

-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
Permalink | Reply | 2 comments |

Gmane