spamassassin tag score

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

spamassassin tag score

Kebba Foon
Dear List,

can someone explain this two files for me on the exim4u web interface:
Spamassassin tag score:
Spamassassin discard score:

Am not exactly sure how they affect my spam checks on my server. my
question is how is this value calculated and highly or lower values
which has the potential to stop more spam?

Thanks
Kebba

On Sat, 2011-02-19 at 12:00 -0500, [hidden email] wrote:

> Send users mailing list submissions to
> [hidden email]
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://exim4u.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
> [hidden email]
>
> You can reach the person managing the list at
> [hidden email]
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of users digest..."
>
>
> Today's Topics:
>
>    1. Re: malware acl condition: clamd: ClamAV returned
>       /var/spool/exim4/scan/XXXX.eml: Can't create temporary directory
>       ERROR (Odhiambo Washington)
>    2. Re: exim as a backup MX (Gordon Dickens)
>    3. Re: malware acl condition: clamd: ClamAV returned
>       /var/spool/exim4/scan/XXXX.eml: Can't create temporary directory
>       ERROR (Gordon Dickens)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 18 Feb 2011 20:24:35 +0300
> From: Odhiambo Washington <[hidden email]>
> Subject: Re: [Exim4U] malware acl condition: clamd: ClamAV returned
> /var/spool/exim4/scan/XXXX.eml: Can't create temporary directory ERROR
> To: Exim4U General Discussion <[hidden email]>
> Message-ID:
> <AANLkTimrdtT8o308sH6nbatEb6Y=[hidden email]>
> Content-Type: text/plain; charset="utf-8"
>
> On Fri, Feb 18, 2011 at 6:52 PM, Udo Hortian <[hidden email]> wrote:
>
> > Hello Gordon,
> >
> > On Fri, Feb 18, 2011 at 10:07:31AM -0500, Gordon Dickens wrote:
> > > That is quite strange especially since it only occurs sometimes. I can't
> > > say for sure but I suspect that this is most probably a ClamAV problem.
> > > Check to see if the clamd logs have any related entries that might yield
> > > a clue.
> > I checked the clamav.log and when the error occurs I find lines like:
> >
> > Tue Feb 15 22:20:42 2011 -> /var/spool/exim4/scan/XXXX/XXXX.eml: Can't
> > create temporary directory ERROR
> >
> > Just like in exim's paniclog.
> >
> > > I realize this is obvious but make sure that the Debian-exim
> > > user and clamav user both have read/write permission to the
> > > /var/spool/exim4/scan directory.
> > In fact the permissions to this directory are as follows:
> >
> > ls -l /var/spool/exim4/ | grep scan
> > drwxr-x--- 2 Debian-exim Debian-exim 4096 Feb 18 12:54 scan
> >
> > Before I checked this, but somehow was not noting the missing w for the
> > group.
> >
> > So the Debian-exim group has NO write-permission. On another system
> > running exim4u (which I use as the primary MX) the permissions are
> > identical and I do not have any errors of this kind there.
> >
> > Probably here lies the problem. But since I do not have any problems on
> > the other system, I would like to understand first, why I really need
> > write access here. How does virus scanning actually works? Which process
> > really needs access to this directory?
> >
> > Then I would like to understand why there are no problems on my other
> > system.
> >
> >
> Things to check:::
>
>
> I run clamd as mailnull (the same user Exim runs as).
> Afterall, they both process the same mail.
>
> (20:20:25 <~>) 0 $ grep User /usr/local/etc/clamd.conf
> User mailnull
> (20:20:35 <~>) 0 $ exim -bP | grep exim_user
> exim_user = mailnull
> (20:20:49 <~>) 0 $
>
> (20:20:49 <~>) 0 $ ls -al /var/spool/exim/
> total 24
> drwxr-x---   7 mailnull  mailnull   512 Oct 26  2009 .
> drwxr-xr-x  15 root      wheel      512 Dec 27 15:17 ..
> drwxr-x---   2 mailnull  mailnull   512 Feb 18 18:18 db
> drwxr-x---  13 mailnull  mailnull  7680 Feb 18 20:13 input
> drwxr-x---   2 mailnull  mailnull   512 Oct 26  2009 log
> drwxr-x---  17 mailnull  mailnull  4096 Feb 18 20:13 msglog
> drwxr-x---   3 mailnull  mailnull   512 Feb 18 20:13 scan
> (20:21:16 <~>) 0 $
>
> In clamd.conf:
>
> TemporaryDirectory /var/tmp
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254733744121/+254722743223
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
> Damn!!
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://exim4u.org/pipermail/users/attachments/20110218/b76a2b6f/attachment-0001.html 
>
> ------------------------------
>
> Message: 2
> Date: Fri, 18 Feb 2011 13:41:53 -0500
> From: Gordon Dickens <[hidden email]>
> Subject: Re: [Exim4U] exim as a backup MX
> To: Exim4U General Discussion <[hidden email]>
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> On 02/17/2011 05:20 AM, Udo Hortian wrote:
> > As far as I understood your message, one can do the spam filtering on
> > the backup-MX or/and on the primary MX. But if now spam filtering is
> > done on the backup-MX how does the primary MX know about this? Doing no
> > spam filtering at all for mails coming in through the backup-MX would
> > be a problem, I think.
>
> Hi Udo,
>
> It is most efficient to run spam checks during the smtp session with the
> sending server. This is a generally accepted "best practice" for mail
> servers. So, the only way to do that with relay domains is to perform
> the spam checks on the relay server during the smtp session.  Otherwise,
> if you do the spam checking on the primary server then, for reasons
> explained later in this post, you will accumulate all spam sent to each
> primary domain on the relay MX server's mail queue.  With this theory in
> mind, if spamassassin is enabled for a backup MX domain on an Exim4U
> server then all spam checks occur in the exim ACLs during the smtp
> session regardless of whether the incoming mail is for a local domain or
> a relay domain.
>
> The following spam checks are executed for both local domains and relay
> domains:
>
> Recipient addresses are verified via callouts to the primary host.
> URIBL/SURBL/DBL checks are performed via exim_surbl.
> Spamassassin checks are performed.
> Ratelimiting is performed for a variety of causes including dictionary
> attacks.
>
> So, mail to a relay domain has already been processed for spam prior to
> forwarding  the mail on to the primary MX server.  Therefore, there is
> no reason to run the spam checks again on the primary server since that
> would simply be a duplication of effort. However, you can alternatively
> run the spam checks again on the primary server if you want but you will
> normally gain nothing from it.  In all cases, you should disable
> ratelimiting for the backup MX server because spammer dictionary attacks
> on the relay server will otherwise cause the primary MX server to
> ratelimit the backup MX server due to recipient callout failures.
>
> So, for relay domains, you should tell the primary MX server to either
> exempt the spam checks or to only exempt ratelimiting. The way that you
> tell the primary MX server to exempt the spam checks is by including the
> backup MX in the /etc/exim/exim4u_backup_mx_host_names file.  
> Alternatively, you can include the backup MX server in the
> /ec/exim/exim4u_backup_mx_rl_host_names file which will only disable
> ratelimiting.
>
> As an aside, Exim4U runs clamd virus checks on ALL incoming mail for all
> local domains and all relay domains. That is, on a primary MX host,
> clamd  is run on all incoming mail regardless of whether it comes from a
> relay host or not. clamd is run even if the relay host is included in
> exim4u_backup_mx_host_names or exim4u_backup_mx_rl_host_names.
>
> > If I decide to do spam-checking (spamassassin) only on the primary-MX
> > and not on the relay, then I guess I should add the relay MX to the file
> > etc/exim/exim4u_backup_mx_rl_host_names on the primary-MX host instead
> > of /etc/exim/exim4u_backup_mx_host_names, right?
>
> If you only do spam checking on the primary MX then, yes, you should add
> the relay MX to the etc/exim/exim4u_backup_mx_rl_host_names file.
> However, that is not nearly as efficient as processing the spam on the
> relay MX server since all of your spam will then otherwise accumulate on
> the relay MX servers's mail queue.  Processing the spam on the relay
> server is most efficient since you then will have rejected all of the
> spam during the relay server's smtp connection in the exim ACLs and
> therefore you should not have any spam accumulating in your relay
> server's mail queue.  This is much better especially for folks that
> prefer clean mail queues.
>
> > Is there also an easy way to rely on the DNS MX information? I simple
> > setups it is more administrative work to keep up to date the primary MX
> > both in DNS and in the exim4u database. Maybe one could introduce some
> > keyword in the field for the primary-MX to indicate that exim should
> > rely on DNS MX information? I would appreciate this.
>
> Usually, DNS MX records are not often changed.  In any event, the setup
> as I have described is ultimately more efficient and ensures that all
> spam processing is done during the smtp session with the sending
> servers.  If you rely on DSN MX records for determining the primary
> server and that server changes then, at the very least, you would need
> to disable the primary server's ratelimiting for the relay server.  The
> net benefit of Exim4U's recommended method of processing relay domains
> is that all spam can be processed by the exim ACLs during the smtp
> session so that you don't accumulate lots of spam in your mail queues.
>
> In any event, while I have not tested this, if you want to rely on the
> DNS MX records instead for determining the prmary MX server then you can
> try commenting out all lines in the following three routers in
> etc/exim.conf:  relay_MX_direct_SA_off, relay_MX_direct_no_header_mod
> and relay_MX_direct_header_mod. Note that this would also disable spam
> tagging on the relay host.  Again, I have not tested this but it should
> be close to what you have requested.  Give it a try if you would like -
> just do plenty of testing first.  Nevertheless, please consider the
> methodology that I have suggested for ensuring that all spam processing
> is performed during the smtp session. I think that you will find it to
> be a superior method in the long run.
>
> Gordon
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Fri, 18 Feb 2011 22:22:19 -0500
> From: Gordon Dickens <[hidden email]>
> Subject: Re: [Exim4U] malware acl condition: clamd: ClamAV returned
> /var/spool/exim4/scan/XXXX.eml: Can't create temporary directory ERROR
> To: Exim4U General Discussion <[hidden email]>
> Message-ID: <[hidden email]>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 02/18/2011 12:24 PM, Odhiambo Washington wrote:
> >
> > I run clamd as mailnull (the same user Exim runs as).
> > Afterall, they both process the same mail.
>
> Odhiambo may be onto something here.  I also run clamd and exim as the
> same user in my installations (eg.: I run exim and clamd as user=exim in
> CentOS). So, consider giving that a try. For example with Debian, try
> having clamd run as the Debian-exim user same as exim.
>
> Gordon
>
>
>
>
> ------------------------------
>
> _______________________________________________
> users mailing list
> [hidden email]
> https://exim4u.org/mailman/listinfo/users
>
>
> End of users Digest, Vol 13, Issue 7
> ************************************



_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: spamassassin tag score

gldickens3
Administrator
On 02/26/2011 11:35 AM, Kebba Foon wrote:
> Dear List,
>
> can someone explain this two files for me on the exim4u web interface:
> Spamassassin tag score:
> Spamassassin discard score:

The tag score and discard score settings allow users and domains to
further customize their installations with more aggressive spamscore
settings on a per user and per domain basis over and above the server
wide SpamRejectScore setting which rejects all spam scores >=
SpamRejectScore at SMTP time. Exim4u discards (to blackhole) all spam
scores >= discard score after the SMTP connection is closed. Likewise,
Exim4u tags all spam scores > tag values upon delivery. When tagging
occurs, the subject header is modified to include the SpamTagText value
such as "[SPAM]" or "[BULK]" which indicates to the user that the mail
is most likely spam.   If a user's spam box is enabled then the tagged
mail will automatically be put in the user's IMAP spam folder on the server.

The discard values and tag values for individual email accounts are
specified under "manage POP/IMAP accounts" within each domain in the web
interface. Likewise, the discard values and tag values for relay domains
are specified under the Domain Administration menu in the web interface
by the site administrator. The recommended
range of values for individual discard scores is 8 to 10. The
recommended range of values for tag scores is 4 to 6.

Also, refer to the comments in:

http://exim4u.org/svn/exim4u_src/trunk/etc/exim/exim4u_global_spam_virus

FYI,

Gordon




_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users