<div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Op di 27 aug. 2019 om 15:09 schreef Matus UHLAR - fantomas <<a href="mailto:uhlar@fantomas.sk">uhlar@fantomas.sk</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 27.08.19 14:50, Lambert Rots wrote:<br>
>Time difference between amavisd-new and spamassassin checks are +30 minutes.<br>
><br>
>I don't reject spam, spam is set to be discarded:<br>
<br>
>$final_spam_destiny = D_DISCARD; #!!! D_DISCARD / D_REJECT<br>
<br>
so, you don't know of spam that gets discarded, and it's quite possible that<br>
much of spam is dropped before you can scan it again using spamassassin,<br>
correct?<br>
<br></blockquote><div>Well, I know which spam mail gets through ;-)</div><div>Looking at the logs I don't see a lot of messages about discards on amavisd-new but postfix is doing a good job on the blacklist checks (+90/day mails blocked)</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
that way, it's quite possible that spam that sneaks in, is "early recipient<br>
based", so it would be rejected half hour later.<br>
<br>
>~amavis/.spamassissin contains:<br>
>-rw------- 1 amavis amavis 40960 Aug 27 07:45 bayes_seen<br>
>-rw------- 1 amavis amavis 1310720 Aug 27 07:45 bayes_toks<br>
>-rw-r--r-- 1 amavis amavis 1869 Aug 16 13:23 user_prefs<br>
<br>
btw, how do you check spam by spamassassin?<br>
for comparing to amavis scores I use<br>
<br>
(cd /tmp; su -s /bin/sh -c 'spamassassin -x' amavis) < file | less<br>
<br></blockquote><div>I configured postfix to save all email messages (dont_remove = 1) so I can work with the 'original' email.</div><div>I copy a message from the saved directory to /tmp using: postcat -hb /var/spool/postfix/saved/<ID> > /tmp/<ID></div><div>Then I run spamassassin as user amavis: su amavis -c 'spamassassin -D -t < /tmp/<ID>'</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
>The user_prefs is just a sample file with only commented/blank lines<br>
<br>
...so the results aren't flawed due to amavis' user_prefs.<br>
<br>
>$ ls -lh /etc/amavisd/<br>
>total 88K<br>
>-rw-r--r-- 1 root root 37K Aug 22 12:22 amavisd.conf<br>
>-rw-r--r-- 1 root root 37K Jul 19 12:32 amavisd.conf.rpmsave<br>
>-rw-r--r-- 1 root root 19 Jul 5 2016 sender_scores_sitewide<br>
>-rw-r--r-- 1 root root 95 Jul 21 2018 whitelist_sender<br>
><br>
>sender_scores_sitewide contains one specific domain with score -5.0 to<br>
>prevent mail from that domain to be accidentally identified as spam.<br>
>whitelist_sender contains my logwatch sender to prevent my logwatch reports<br>
>to be seen as spam.<br>
<br>
I put those into SA's <a href="http://local.cf" rel="noreferrer" target="_blank">local.cf</a>, this way they get the same score when<br>
checked by SA or by amavis.<br>
<br></blockquote><div>Good idea, thanks</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
>> >Op zo 18 aug. 2019 om 11:59 schreef Matus UHLAR - fantomas <<br>
>> ><a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>:<br>
>> >> this is also a different issue. Many sites and webs get into blacklist<br>
>> >> after the spam starte spreading, so first (early) recipients don't see<br>
>> >> the mail in blacklist, while late recipients or later checks shows<br>
>> >> blacklists.<br>
<br>
>> On 26.08.19 11:22, Lambert Rots wrote:<br>
>> >Comparing debug logs between Amavisd-new (debug-sa) and spamassassin<br>
>> >directly shows that blacklist checks score 0 with NXDOMAIN replies when<br>
>> >the mail arrives the first time where spamassassin scores +3 with<br>
>> >several hits on blacklist checks.<br>
<br>
>Op ma 26 aug. 2019 om 15:50 schreef Matus UHLAR - fantomas <<br>
><a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a>>:<br>
>> this shows early recipient issue. What's the time difference<br>
>> between amavis and spamassassin checks?<br>
>> Are there any differences in rules hit than blacklits?<br>
<br>
>> >I just cannot imagine that all spam I receive is early recipient based,<br>
>><br>
>> do you reject any spam?<br>
>><br>
>> >besides, postfix is already taking care of most blacklist checking.<br>
>><br>
>> postfix does only check blacklists on direct sending machine. SA does deep<br>
>> header checks, which is why SA blacklist checks have more hits than<br>
>> postfix.<br>
>><br>
>> >Most spam mail is coming from the same email domains, share the same<br>
>> >subject and a lot of other stuff on which amavisd-new should be able to<br>
>> >identify it as spam. Bayes scores some mail but not all.<br>
>><br>
>> train what you can. bayes training is one the best antispam tools<br>
>> available.<br>
>><br>
>> >Spam senders try a lot to bypass anti spam but in my opinion amavisd-new<br>
>> >should be able to do better than marking less than 1 percent of spam mail<br>
>> >as spam.<br>
>><br>
>> what does ~amavis/.spamassassin contain?<br>
>> what does /etc/amavis/conf.d/ contain?<br>
<br>
-- <br>
Matus UHLAR - fantomas, <a href="mailto:uhlar@fantomas.sk" target="_blank">uhlar@fantomas.sk</a> ; <a href="http://www.fantomas.sk/" rel="noreferrer" target="_blank">http://www.fantomas.sk/</a><br>
Warning: I wish NOT to receive e-mail advertising to this address.<br>
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.<br>
Saving Private Ryan...<br>
Private Ryan exists. Overwrite? (Y/N)<br>
</blockquote></div></div></div>