[SA-SPAM] Re: Julian, [SA-SPAM] and the lovely AWL

Dave Duffner - PSCGi webalizer at NWCWEB.COM
Thu Mar 31 20:16:35 IST 2005 

Julian,

        In the case of the Virus stuff, yep we're using a heavily
modified version that is assigning some points, but not enough
to cause the tag in this specific case.  There's two other rogue
tags for .biz & .info that are coming up, but those are easily
handled (or just eliminated as they're really not as accurate as
they used to be when they were created originally with the expansion
of the TLD's of late).

        On the AWL, at least in Ensim Pro's outlay it's got them
in the individual user files.  Went for the root thing awhile
back, couldn't find it, checked again recently, same thing.  But
once I found the potential pathway to the individual users, there
it was with those Bayes files as well.

        On straight server setups without an HSP hosting software
like Enism, cPanel, Plesk, etc. or potentially a straight install
without someone like Ensim mucking it up, it should have been a
large-scale gang file.

        In Ensim's case, since many things are chroot'ed to the
point of insanty (for the sake of security?) they implemented a
MailScanner/SA/ClamAV package into the latest 4.XX revisions
that gives the individual users some control over what happens
to the spam.  Since that's the case, it creates individual profiles,
Bayes, AWL's and the rest of the goodies.  Not saying it's the
best layout, but it's what we've got to work with.  Would have
rather installed it from scratch, but Ensim has a way of producing
destructive updates that find installs (no matter where they came
from) and obliterating them to replace it with their packaged
goodies.  I believe cPanel & Plesk are much more forgiving in
this sense, but have tradeoffs vs. Ensim.

        Misconfigured or ignorant rulesets we can deal with easily.
The rampant and non-configurable AWL averaging system is the one
that needs a swift kick!  But at least there's a way to disarm it
and move forward.  But again, that's an SA issue.

        Any thoughts on the random MS scanning of packets though?

        Thanks!

        Dave


> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
> Sent: Thursday, March 31, 2005 1:41 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: [SA-SPAM] Re: Julian, [SA-SPAM] and the lovely AWL
>
>
> Are you using the bogus anti-virus warnings ruleset for
> SpamAssassin? If so, mail from me will tend to be detected as
> spam as the patterns just look for "mailscanner" in the From:
> address. There are a whole load of rules to zero out, they are
> score VIRUS_WARNING15   0
> score VIRUS_WARNING28   0
> score VIRUS_WARNING33   0
> score VIRUS_WARNING62   0
> score VIRUS_WARNING66   0
> score VIRUS_WARNING226  0
> score VIRUS_WARNING250  0
> score VIRUS_WARNING300  0
> score VIRUS_WARNING326  0
> score VIRUS_WARNING339  0
> score VIRUS_WARNING340  0
>
> The AWL files used by MailScanner's SpamAssassin should be in
> ~root/.spamassassin if you are running MailScanner as root.
> If not, then insert the appropriate username. They should be
> with your bayes files.
>
> Dave Duffner - PSCGi wrote:
>
> >>-----Original Message-----
> >>From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> >>Behalf Of Julian Field
> >>Sent: Thursday, March 31, 2005 12:56 PM
> >>To: MAILSCANNER at JISCMAIL.AC.UK
> >>Subject: [SA-SPAM] Re: MCP checks for outgoing only
> >>
> >>
> >
> >        Ok, finally some sanity!
> >
> >        Note the original reply from Julian that was tagged
> once again
> >my Spamassassin.  For the FIRST time, it's not from the AWL!
> >
> >        This is more an SA issue and for reference sake here
> for those
> >about as insane as I am from screwing with the autowhitelist (AWL)
> >settings.
> >
> >        If you've ever run your MS/SA setup with AWL ON,
> then it's been
> >building up an AWL file in each of your user's filebases.
> One would've
> >thought a more collective database might make more sense,
> but on large
> >volume systems I'm not sure if lookups individually would
> work faster
> >than from a collective AWL situation.  Small systems, the individual
> >approach makes more sense for speed.
> >
> >        So I went through changing all the locations where
> >the AWL should be disabled, saw in our headers is was
> disabled, but yet
> >it would randomly tag mail with an SA AWL score of insane positive
> >proportions.  Sadly Julian seemed to be a fixation for this
> install, if
> >there's a post from him - tagged.
> >
> >        With no responses here as to how to 'flush' the AWL,
> figuring
> >it's turned off but pulling info from somewhere, I set out
> yesterday to
> >dig through tons of SA/AWL pages on the Net.  Finally, I located
> >something somewhat irrelevant to our situation, but that led
> me to find
> >those individual AWL databases.  They are in each domain's user file
> >section, once inside their account zone it's /.spamassassin and
> >located down inside.  Simply called auto-whitelist.
> >
> >        I went into the account I use for this List and
> >found that file, renamed it to the point it'd never be
> >located by SA and DONE!
> >
> >        Only reason Julian's post today was tagged was other config
> >items in the rulesets that trigger him slightly over the
> limit and earn
> >the [SA-SPAM] tag we assign.  Easily fixable.  So the bad
> news is once
> >you kill the AWL feature, if you had it running for any
> period of time
> >you must go in and either delete that AWL file for each user in each
> >domain on your box, or rename it so it can't be found.
> >
> >        Now, the only other problem that IS MailScanner
> related and has
> >been mentioned here in the last week is that Julian posted several
> >times today and only ONE of those was scanned by MS/SA?  I
> see MS tags
> >for SpamCheck, gives no results, but it's either passing the
> mail on as
> >OK and then not allowing SA to touch it or it's just mod'ing
> >the header with MS info and never processing it?  We've
> >seen that on a slew of mail, appears it's missing like 25%
> >of the traffic.  Doesn't sound right.
> >
> >        We did insert this List into the 'don't touch' conf
> files, but
> >that's also applied at what appears to be random.
> >
> >        Any thoughts?
> >
> >        Dave
> >
> >
> >I--I
> >Message scanned by MailScanner, and is believed to be clean.
> >CONFIDENTIALITY NOTICE:  This transmission intended for the
> specified
> >destination and person.  If this is not you, this
> >e-mail must be deleted immediately.     www.pscginternet.com
> >
> >------------------------ MailScanner list
> ------------------------ To
> >unsubscribe, email jiscmail at jiscmail.ac.uk with the words: 'leave
> >mailscanner' in the body of the email. Before posting, read the MAQ
> >(http://www.mailscanner.biz/maq/) and the archives
> >(http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> >Support MailScanner development - buy the book off the website!
> >
> >
> >
>
> --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list
> ------------------------ To unsubscribe, email
> jiscmail at jiscmail.ac.uk with the words: 'leave mailscanner'
> in the body of the email. Before posting, read the MAQ
> (http://www.mailscanner.biz/maq/) and the archives
> (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
> I--I
> Message scanned by MailScanner, and is believed to be clean.
> CONFIDENTIALITY NOTICE:  This transmission intended for the
> specified destination and person.  If this is not you, this
> e-mail must be deleted immediately.     www.pscginternet.com
>


I--I
Message scanned by MailScanner, and is believed to be clean.
CONFIDENTIALITY NOTICE:  This transmission intended for the
specified destination and person.  If this is not you, this
e-mail must be deleted immediately.     www.pscginternet.com

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list