Jump to content

SpamAssassin v3.1.0 on one spam, and v.3.1.1 on another?


Recommended Posts

I think I've pretty much proved the point about dwindling use of this venue...back "in the day," when something like this would go wrong, you'd typically see multiple SC Email users bop in here, each starting their own thread. :-)

When, on the exceedingly few ccurrences, I get spam breaking through the filters I rarely bother to analyse why. I simply report manually and move on. So I wouldn't know if Filter 7 isn't filtering or not. In addition to SpamAssassin I use various RBLs so perhaps they effectively catch any that might be working through Filter 7. Or maybe, as Steven Underwood suggests, Filter 7 is set aside for you and Firefly :)

Andrew

Link to comment
Share on other sites

  • Replies 119
  • Created
  • Last Reply

Top Posters In This Topic

I think filter7 is your personal mail server ;) because I have not received any email from that server in at least several days.

Uh....no. :-)

Steven, from your previous posts, it would seem that your incoming mail profile is a lot different than mine. Perhaps you don't have as many different addresses that have been "exposed" to harvesting in the past.

DT

I was correct...this in from JT:

Sorry, this server is a real problem. It's running again.

Thanks for catching and reporting this.

I'm sticking by my theory, that the email customers aren't bothering to come here much. Although, if we have a total outage (all servers down or unreachable), I imagine that they'll be back.

DT

Edited by DavidT
Link to comment
Share on other sites

Uh....no. :-)

Steven, from your previous posts, it would seem that your incoming mail profile is a lot different than mine. Perhaps you don't have as many different addresses that have been "exposed" to harvesting in the past.

About 2 years ago now, I dumped my most spammed addresses and have been careful with my exiting ones (using spamcop as my main address).

Link to comment
Share on other sites

  • 2 weeks later...
blade5 is not running SA. Reported it to the deputies.

Deputies have nothing to do with the SpamCop.net e-mail system .... All they can do is forward your notification to the only person that can do anything about it ... JT ...

Link to comment
Share on other sites

The SA on blade5 is fine now. I don't have any messages in my mailbox that went through blade5 around the same time as the one you cited, but the headers of messages a few hours before that, and the ones from today all have the proper SA lines, so if there was a problem, it was very brief.

DT

Link to comment
Share on other sites

I just checked the headers on a spam that made it to my inbox that passed through the "filter8" server and there were no SpamAssassin lines.....here are some edited headers for anyone's amusement:

Return-Path: <service8[at]planet.nl>

Delivered-To: x[at]spamcop.net

Received: (qmail 5674 invoked from network); 2 May 2007 14:43:02 -0000

Received: from unknown (192.168.1.101)

by filter8.cesmail.net with QMQP; 2 May 2007 14:43:02 -0000

Received: from xxxxx

by mailgate.cesmail.net with SMTP; 2 May 2007 14:43:01 -0000

Received: by xxxxx (Postfix)

id 864BE2470796; Wed, 2 May 2007 07:43:01 -0700 (PDT)

Received: from psmtp04.wxs.nl (psmtp04.wxs.nl [195.121.247.13])

by xxxxxxx (spam Firewall) with ESMTP id DC7ADD01DFA9

for <x>; Wed, 2 May 2007 07:43:00 -0700 (PDT)

Received: from po07.wxs.nl ([10.94.53.251])

by psmtp04.wxs.nl (iPlanet Messaging Server 5.2 HotFix 2.15 (built Nov 14

2006)) with ESMTP id <0JHF00A8P4TMEO[at]psmtp04.wxs.nl> for

x; Wed, 02 May 2007 16:41:46 +0200 (MEST)

Received: from planet.nl ([127.0.0.1])

by po07.wxs.nl (iPlanet Messaging Server 5.2 HotFix 2.07 (built Jun 24 2005))

with ESMTP id <0JHF00JQH4TKCZ[at]po07.wxs.nl> for x; Wed,

02 May 2007 16:41:46 +0200 (MEST)

Received: from [10.94.71.40] (Forwarded-For: 172.22.73.93, [196.201.151.3])

by po07.wxs.nl (mshttpd); Wed, 02 May 2007 07:41:44 -0700

Date: Wed, 02 May 2007 07:41:44 -0700

From: service8[at]planet.nl

Subject: =?iso-8859-1?Q?CONGRATULATIONS=3A_YOU_WON-=A3500=2C000=2E00?=

(can't do a Tracking URL on this one, because it would reveal too much information about my servers, etc.)

Not sure why the source IP isn't on multple BLs...there are active items in the SC reporting history, and plenty of mentions in the email abuse "sightings" NG.

I'll send off a note to JT...it would probably help if others did likewise. The SA process stopped running sometime between 1 May 2007 17:29:01 -0000 and 2 May 2007 01:44:48 -0000 (why the heck won't JT set a proper GMT offset on his boxes? Isn't that a "best practice" for server administration?).

DT

Edited by DavidT
Link to comment
Share on other sites

I just checked the headers on a spam that made it to my inbox that passed through the "filter8" server and there were no SpamAssassin lines.....here are some edited headers for anyone's amusement:

I'll send off a note to JT...it would probably help if others did likewise. The SA process stopped running sometime between 1 May 2007 17:29:01 -0000 and 2 May 2007 01:44:48 -0000 (why the heck won't JT set a proper GMT offset on his boxes? Isn't that a "best practice" for server administration?).

I had one as well and sent the email off to JT. This was an email I had whitelisted anyway, so had no reason to look at it further.

Link to comment
Share on other sites

...and now I think he's fixed the problem....here are some lines from the most recent item in my Held folder:

Received: (qmail 17874 invoked from network); 2 May 2007 17:14:53 -0000

X-spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-26) on filter8

X-spam-Level: *************

X-spam-Status: hits=13.8 tests=INVALID_MSGID,NO_REAL_NAME,

SUBJECT_ENCODED_TWICE,URIBL_AB_SURBL,URIBL_BLACK,URIBL_OB_SURBL,

URIBL_SBL version=3.1.4

Received: from unknown (192.168.1.101)

by filter8.cesmail.net with QMQP; 2 May 2007 17:14:53 -0000

DT

Link to comment
Share on other sites

  • 2 weeks later...

tacking this onto the end of this loooonnnnng topic, because it's releated....

About a week ago, it seems that JT upgraded the SpamAssassin on "filter7" and "filter8" but not on any of the "blade" servers. Here's some evidence:

X-spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on filter7

X-spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on filter8

X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade1

X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade2.cesmail.net

X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade3.cesmail.net

X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade4

(I've got lots more, but they follow the pattern)

I also happened to receive virtually identical emails sent to me, some of which travelled through "filter" servers and some through "blade" -- look at the differing scoring:

X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade4

X-spam-Level: **

X-spam-Status: hits=2.1 tests=HTML_FONT_BIG,HTML_MESSAGE,J_CHICKENPOX_21,

J_CHICKENPOX_22,J_CHICKENPOX_51 version=3.1.8

X-spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on filter7

X-spam-Level:

X-spam-Status: hits=0.0 tests=HTML_MESSAGE version=3.2.0

So the difference in versions in not insignificant. I guess I'll send off a message to JT....I'll let you know if he responds and what he says. He did respond about the servers all thinking that they are in England (the vast majority of servers around the world are configured with an "offset" from GMT, but his aren't....they all show "-0000" as if they were located in Greenwich):

It's a global service, with users all over the world. As long as the

times are correct in an absolute sense, I don't see why they need to be

stamped with the time zone the servers are actually in. That really is

the time in GMT and the majority of our users do not live in the eastern

time zone.

Hmmmmm.....any server admins care to chime in with an informed opinion? I think he's wrong.

DT

Link to comment
Share on other sites

... Hmmmmm.....any server admins care to chime in with an informed opinion? I think he's wrong.
Sorry, not "informed", not a server admin but I do know it makes life a heck of a lot simpler, operating across international time zones, to use a single reference zone and that zone, by tradition, is "zulu" (military parlance), GMT/UTC. Both my providers use it in their time stamps (attblobal.net and iinet.net.au) in (some) server to server transactions - but they (or my mail client?) always display local time in the "From -" (top) line.

The use of GMT time stamps pre-dates the internet by a very long margin by the way. An inheritance from the time of the telegraph I would imagine.

Edited by Farelf
Link to comment
Share on other sites

He did respond about the servers all thinking that they are in England (the vast majority of servers around the world are configured with an "offset" from GMT, but his aren't....they all show "-0000" as if they were located in Greenwich):

Hmmmmm.....any server admins care to chime in with an informed opinion? I think he's wrong.

I'd say it doesn't matter provided the time setting is consistent across all the servers involved and that it is clear which time zone is being referred to. On mine I use GMT and specifically declare it as the +0000 zone.

Andrew

Link to comment
Share on other sites

About a week ago, it seems that JT upgraded the SpamAssassin on "filter7" and "filter8" but not on any of the "blade" servers. Here's some evidence:

X-spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on filter7

X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade1

So the difference in versions in not insignificant.

actually, that statement right there carries more weight than you give it credit for .... bluntly put, installing spamAssassin is not imply a matter of downloading, copying over a single file to the server. it a pretty good sized collection of files, some of which need tailoring. The catch is, this isn't all that's needed. Some of the upgrades in this package also require updates/upgrades to other various software packages, libraries, etc. on that same server. The downside is that by updating/upgrading some of these other items .... other tools/applications are then broken.

There are items on the Forum server that I'd like to upgrade, but I can't ... stuck in the above situation. Actually a bit worse, as I'd be trying to do this remotely, knowing that if I screwed up, made a wrong decision, then it'd be my fault for needing to holler loudly for JT to make a trip to the datacenter to fix my screwup .... and let's be honest, this Forum isn't a money-maker for him <g>

I guess I'll send off a message to JT....I'll let you know if he responds and what he says. He did respond about the servers all thinking that they are in England (the vast majority of servers around the world are configured with an "offset" from GMT, but his aren't....they all show "-0000" as if they were located in Greenwich):

Hmmmmm.....any server admins care to chime in with an informed opinion? I think he's wrong.

Funnily enough, time/date stamping just caught my interest on the Reporting side of the house ... all that data was showing as -0500 which doesn't equate to the location of any (known by me) IronPort hardware ....

Technically, as long as it is tagged correctly, all other time/date handling should calculate out correctly ...

Link to comment
Share on other sites

Here's the response from JT about the different SA versions currently in use on the various servers:

I upgraded the filters initially and let them run for a while as a test of the new version. I actually found that we were running into an error which is pretty well documented by the SpamAssassin guys. I'm waiting for them to fix this error before I upgrade the blades. They're talking like this should be soon.

I suggested that might be worthy of posting to the System News page.

DT

Link to comment
Share on other sites

  • 1 month later...

Here's the latest status, according to headers of mail I've received recently:

SpamAssassin 3.1.8 (2007-02-13)

blade1

blade2

blade3

blade5

blade6

SpamAssassin 3.2.0 (2007-05-01)

blade4

filter7

filter8

So the only change is that blade4 received the same version upgrade that's been running on the "filters" for a while.

DT

Link to comment
Share on other sites

  • 1 month later...

Update: Sometime in the middle of August, it seems that *all* of the blades and filters (the SC email servers) have had a SpamAssassin upgrade as shown in email headers:

X-spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on *

Was this announced somewhere and I just missed it?

DT

Link to comment
Share on other sites

Not sure if related or not...probably not, but here's an announcement that's currently displaying on the webmail login page:

Aug 27, 2007

[16:50 EDT] During a system upgrade this afternoon, we made a change which let a lot of spam slip through the filters. We are aware of the issue and have fixed things so they should be back to normal. We apologize about the inconvenience.

DT

Link to comment
Share on other sites

Which leads me to wonder how this message with 14 hits made it into my inbox:

Return-Path: &lt;x[at]selekta.com&gt;
Delivered-To: cesmail-net-x[at]cesmail.net
Received: (qmail 5580 invoked from network); 29 Aug 2007 22:05:40 -0000
X-spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on filter8
X-spam-Level: **************
X-spam-Status: hits=14.0 tests=DC_GIF_UNO_LARGO,EXTRA_MPART_TYPE,
	FROM_LOCAL_NOVOWEL,HTML_MESSAGE,MIME_QP_LONG_LINE,MY_CID_AND_STYLE,
	PART_CID_STOCK,PART_CID_STOCK_LESS,SARE_GIF_ATTACH,T_TVD_FW_GRAPHIC_ID1,
	UNPARSEABLE_RELAY version=3.2.3
Received: from unknown (192.168.1.108)
  by filter8.cesmail.net with QMQP; 29 Aug 2007 22:05:40 -0000
Received: from selekta.com (72.22.11.66)
  by mx71.cesmail.net with SMTP; 29 Aug 2007 22:05:40 -0000
Received: from host-163.121.241.72.tedata.net ([163.121.241.72])
	by selekta.com
	with hMailServer; Wed, 29 Aug 2007 18:05:34 -0400
Received: from mail.global.frontbridge.com (port=10523 helo=xqijjnlqhbat)
	by host-163.121.241.72.tedata.net with smtp
	id 25287-Bew6M07TY-0Q44Qh8
	for x[at]selekta.com; Thu, 30 Aug 2007 01:03:22 +0200
Message-ID: &lt;000f01c7ea88$67aaff20$036de48c[at]xqijjnlqhbat&gt;
From: "Terry" &lt;trkdthnxg[at]thinktwiceinc.com&gt;
To: x[at]selekta.com
Subject: Will want to have paid for one, yet he be obliged: to clamber back in three
Date: Thu, 30 Aug 2007 01:03:22 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
	type="multipart/alternative";
	boundary="----=_NextPart_000_0011_01C7EAA1.8CF5C620"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-SpamCop-Checked: 
X-SpamCop-Disposition: Blocked SpamAssassin=14
X-SpamCop-Whitelisted: x[at]selekta.com

The whitelisted address shouldn't affect the blocking, because I get TONS of spam with the whitelisted address in the 'To' field that get put in the HELD folder.

Edited by btech
Link to comment
Share on other sites

Which leads me to wonder how this message with 14 hits made it into my inbox:

The whitelisted address shouldn't affect the blocking, because I get TONS of spam with the whitelisted address in the 'To' field that get put in the HELD folder.

The To: field is irrelevant for the whitelist. Primarily the From: and Return-Path: (the one causing the problem here: <x[at]selekta.com>) are checked.

THe whitelist is why this is in your Inbox.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share


×
×
  • Create New...