Local State Dir - /var/lib/spamassassin - SARE rules no hits

Martin Hepworth maxsec at gmail.com
Mon Nov 24 13:52:45 GMT 2008 

2008/11/24 Daniel Flensburg <Daniel.Flensburg at iris.se>:
> I check with MailWatch, either in MessageDetail on the specific message or Reports > "SA Rule Hits" for a complete list of the rule hits:
> Rule - Description - Total - Ham - % - Spam - %
>
> The SARE-rules are in /var/lib/spamassassin/3.001004/saupdates_openprotect_com
> and, as a test I ran another sa-update script that put each ruleset in a subfolder of /var/lib/spamassassin/3.001004
>
> /var/lib/spamassassin/3.001004 look like this:
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_adult_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix   98 2008-11-17 11:09 70_sare_adult_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix  109 2008-11-17 11:09 70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_evilnum0_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix  101 2008-11-17 11:09 70_sare_evilnum0_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_genlsubj0_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix  102 2008-11-17 11:09 70_sare_genlsubj0_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_genlsubj1_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix  102 2008-11-17 11:09 70_sare_genlsubj1_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_genlsubj2_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix  102 2008-11-17 11:09 70_sare_genlsubj2_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_header_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix   99 2008-11-17 11:09 70_sare_header_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_html_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix   97 2008-11-17 11:09 70_sare_html_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_obfu_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix   97 2008-11-17 11:09 70_sare_obfu_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_oem_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix   96 2008-11-17 11:09 70_sare_oem_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_random_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix   99 2008-11-17 11:09 70_sare_random_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_specific_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix  101 2008-11-17 11:09 70_sare_specific_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_spoof_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix   98 2008-11-17 11:09 70_sare_spoof_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_stocks_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix   99 2008-11-17 11:09 70_sare_stocks_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_unsub_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix   98 2008-11-17 11:09 70_sare_unsub_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_uri0_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix   97 2008-11-17 11:09 70_sare_uri0_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_uri1_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix   97 2008-11-17 11:09 70_sare_uri1_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_uri2_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix   97 2008-11-17 11:09 70_sare_uri2_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:09 70_sare_whitelist_rcvd_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix  107 2008-11-17 11:09 70_sare_whitelist_rcvd_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 70_sare_whitelist_spf_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix  106 2008-11-17 11:10 70_sare_whitelist_spf_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 72_sare_bml_post25x_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix  104 2008-11-17 11:10 72_sare_bml_post25x_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 72_sare_redirect_post3_0_0_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix  111 2008-11-17 11:10 72_sare_redirect_post3_0_0_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 99_fvgt_tripwire_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix  101 2008-11-17 11:10 99_fvgt_tripwire_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-11-17 11:10 99_sare_fraud_post25x_cf_sare_sa-update_dostech_net
> -rw-r--r-- 1 postfix postfix  106 2008-11-17 11:10 99_sare_fraud_post25x_cf_sare_sa-update_dostech_net.cf
> drwxr-xr-x 2 postfix postfix 1024 2008-10-07 08:45 saupdates_openprotect_com
> -rw-r--r-- 1 postfix postfix 1695 2008-10-07 08:45 saupdates_openprotect_com.cf
> -rw-r--r-- 1 postfix postfix   50 2008-10-07 08:45 saupdates_openprotect_com.pre
> drwxr-xr-x 2 postfix postfix 1024 2008-11-20 12:58 sought_rules_yerp_org
> -rw-r--r-- 1 postfix postfix  119 2008-11-20 12:58 sought_rules_yerp_org.cf
> -rw-r--r-- 1 postfix postfix 1335 2008-10-15 14:52 sought.txt
> drwxr-xr-x 2 postfix postfix 2048 2008-10-06 15:20 updates_spamassassin_org
> -rw-r--r-- 1 postfix postfix 2200 2008-10-06 15:20 updates_spamassassin_org.cf
> -rw-r--r-- 1 postfix postfix   43 2008-10-06 15:20 updates_spamassassin_org.pre
>
> The owner of the files used to be root:root but I changed this recently for testing purposes.
>
> /Daniel
>
> -----Ursprungligt meddelande-----
> Från: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] För Martin Hepworth
> Skickat: den 24 november 2008 14:01
> Till: MailScanner discussion
> Ämne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits
>
> 2008/11/24 Daniel Flensburg <Daniel.Flensburg at iris.se>:
>> Thanks for the reply Jason!
>>
>> But...
>>
>> spamassassin -D --lint -p /opt/MailScanner/etc/spam.assassin.prefs.conf
>>
>> gives me the impression the SARE-rules are working, but still no SARE-hits, why?:
>>
>>
>> [...]
>> [5284] dbg: config: read file /etc/spamassassin/init.pre
>> [5284] dbg: config: read file /etc/spamassassin/v310.pre
>> [5284] dbg: config: read file /etc/spamassassin/v312.pre
>> [5284] dbg: config: using "/var/lib/spamassassin/3.001004" for sys rules pre files
>> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/saupdates_openprotect_com.pre
>> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/updates_spamassassin_org.pre
>> [5284] dbg: config: using "/var/lib/spamassassin/3.001004" for default rules dir
>> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net.cf
>> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net.cf
>> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_evilnum0_cf_sare_sa-update_dostech_net.cf
>> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj0_cf_sare_sa-update_dostech_net.cf
>> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj1_cf_sare_sa-update_dostech_net.cf
>> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_genlsubj2_cf_sare_sa-update_dostech_net.cf
>> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_header_cf_sare_sa-update_dostech_net.cf
>> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_html_cf_sare_sa-update_dostech_net.cf
>> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_obfu_cf_sare_sa-update_dostech_net.cf
>> [5284] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_oem_cf_sare_sa-update_dostech_net.cf
>> [...]
>>
>> ...and:
>>
>> [...]
>> [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/updates_spamassassin_org/empty.pre
>> [5547] dbg: config: using "/var/lib/spamassassin/3.001004/updates_spamassassin_org/empty.pre" for included file
>> [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf
>> [5547] dbg: config: using "/var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf" for included file
>> [5547] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_adult_cf_sare_sa-update_dostech_net/200705210700.cf
>> [5547] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf
>> [5547] dbg: config: using "/var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf" for included file
>> [5547] dbg: config: read file /var/lib/spamassassin/3.001004/70_sare_bayes_poison_nxm_cf_sare_sa-update_dostech_net/200506020000.cf
>> [...]
>>
>> /Daniel
>>
>> -----Ursprungligt meddelande-----
>> Från: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] För Jason Ede
>> Skickat: den 24 november 2008 12:37
>> Till: MailScanner discussion
>> Ämne: RE: Local State Dir - /var/lib/spamassassin - SARE rules no hits
>>
>>> -----Original Message-----
>>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>>> bounces at lists.mailscanner.info] On Behalf Of Daniel Flensburg
>>> Sent: 24 November 2008 10:56
>>> To: MailScanner discussion
>>> Subject: SV: Local State Dir - /var/lib/spamassassin - SARE rules no
>>> hits
>>>
>>> Hi Kai!
>>>
>>> Sorry about the reply button, I think you are right.
>>>
>>> I tried the setting below and restarted the server. I cannot see any
>>> SARE hits yet.
>>> I'm pretty sure it's not working. (tried to send text that another
>>> working server get SARE hits on outgoing tests, no hits on "my"side)
>>>
>>> What is the best way to test if rules in /var/lib/spamassassin are
>>> working correctly?
>>>
>>> Why does the two commands below give different results?
>>>
>>> spamassassin -D --lint
>>
>> Try spamassassin -D --lint -p /<path to spam.assassin.prefs.conf file in MS directory>
>>
>> On my system its spamassassin -D --lint -p /etc/MailScanner/spam.assassin.prefs.conf
>>
>> Jason
>>
>>>
>>> /opt/MailScanner/bin/MailScanner --debug --debug-sa
>>>
>>> Regards,
>>>
>>> /Daniel
>>>
>>> -----Ursprungligt meddelande-----
>>> Från: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>>> bounces at lists.mailscanner.info] För Kai Schaetzl
>>> Skickat: den 23 november 2008 15:31
>>> Till: mailscanner at lists.mailscanner.info
>>> Ämne: Re: Local State Dir - /var/lib/spamassassin - SARE rules no hits
>>>
>>> Daniel Flensburg wrote on Fri, 21 Nov 2008 16:10:48 +0100:
>>>
>>> > You have no idea what you did?
>>>
>>> I found this snippet:
>>> http://lists.mailscanner.info/pipermail/mailscanner/2008-
>>> April/083684.html
>>>
>>> so
>>>
>>> SpamAssassin Local State Dir = /var/lib/spamassassin
>>>
>>> should work for you. Double-check that and don't forget to restart
>>> MailScanner.
>>>
>>> Btw, I just notice that your start message doesn't thread correctly.
>>> Please, if you send a question to a mailing list, do *not* hit reply,
>>> the
>>> "new message" button is for that!
>>>
>>> Kai
>>>
>>> --
>>> Kai Schätzl, Berlin, Germany
>>> Get your web at Conactive Internet Services: http://www.conactive.com
>>>
>>>
>>>
>>
> Daniel
>
> How are you checking for hits against the SARE set and where abouts
> are they installed to?
>
>
> --
> Martin Hepworth
> Oxford, UK
> --
> MailScanner mailing list
>

Hmm the SARE rules should be in
/var/lib/spamassassin/3.001004/saupdates_openprotect_com, not in the
directory above.

Now you've restarted mailscanner after you've updated so that's not
the issue. maybe it's a problem.

I'd do as Phil suggested - upgrade everything to latest versions.
3.1.4 is really realy old anyway, and 3.2.5 will help alot with
general spam catching. I did a 3.1.7 -> 3.2.5 upgrade a couple of
months ago with no issues and very little 'downtime' (I kept the MTA's
going, just stopped mailscanner and it took around 15 minutes to
complete).

I'd also make sure you're running a reasonably up-to date mailscanner too.

-- 
Martin Hepworth
Oxford, UK

More information about the MailScanner mailing list