The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Sa-learn -- per user or server-wide?

Discussion in 'General Discussion' started by ncrossland, Dec 19, 2006.

  1. ncrossland

    ncrossland Member

    Joined:
    Sep 23, 2003
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    In an effort to try and improve Spamassassin's detection rates, I've been feeding sa-learn with spam it has missed. I'm doing this as root via SSH.

    I know that SA stores some data on a per-user basis (such as auto-whitelist) etc -- so will whatever SA learns from these messages only be applied to mail coming to root, or will the learning be used across all accounts?
     
  2. bigj

    bigj Well-Known Member

    Joined:
    Aug 9, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Tucson,AZ
    It's global. Feeding it helps a bit. I frequently implement custom filters in /etc/antivirus.exim when I see unique patterns in subject lines and 'from' addresses that SpamAss won't catch.

    One thing I've noticed is Exim doesn't look at the 'from' address and validate it for valid characters. For example a message comes in from Tanganyika'sgain@abp.nl.

    Exim won't reject the message though it should since there is a single quote in the address. I've received almost 10K of this in a month so I used the filter set to block anything that has a single quote in the from address.

    I'm sure there is a setting in Exim to catch this but I hate reading their documentation and I knew how to setup the filters. A bit OT I know but I had to complain about it :)

    --
    bigj
     
  3. ncrossland

    ncrossland Member

    Joined:
    Sep 23, 2003
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Thanks. I recently had loads with apostrophes in too. Can you give an example of the filter file you use?

    Another one recently was "Windows Vista is ready to download" - thousands of them!
     
  4. bigj

    bigj Well-Known Member

    Joined:
    Aug 9, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Tucson,AZ
    The first thing you'll need to do is make sure that in /etc/exim.conf you have a line that looks similiar to this:

    #!!# message_filter renamed system_filter
    system_filter = /etc/antivirus.exim


    I believe the first line was already in there and only had to add the second line. One warning. If you upgrade exim or make additional changes through the exim configuration in cpanel you'll lose the above information if it wasn't already in there. To make it permanent you'll need to place those changes in /etc/exim.conf.dist. The reason I'm not suggesting you write the changes immediately to the dist one is so you have a backup to roll back to in case you have a problem.

    Second thing to do is open up /etc/antivirus.exim and insert something similiar to this:

    logfile /var/log/filter.log 0644
    if
    $header_subject: contains "it's me" or
    $header_subject: contains "Greetings" or
    $header_subject: contains "advice" or
    $header_subject: contains "FINANCIAL REPORT" or
    $header_subject: contains "Alert !" or
    $header_from: contains "'" or
    $header_subject: contains "check this"
    then
    logwrite "$tod_log $message_id from $sender_address contained spam keywords"
    seen finish
    endif



    A lot of this was taken from here: http://www.webhostgear.com/338.html. It's a decent reference and worth bookmarking.

    Here's a warning though. Be very careful what you filter on. Some of mine in the past were filtering on things like "fwd:" which we both know could catch legit email. I did a search from my MailScanner reporting and determined that nothing but spam was coming in with that for the past 7 days so I felt ok to use it for a day or two. I have since removed it.

    Good luck and let me know if you need anything else.

    --
    bigj
     
  5. ncrossland

    ncrossland Member

    Joined:
    Sep 23, 2003
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    bigj thanks very much for that :)
     
  6. CoolMike

    CoolMike Well-Known Member

    Joined:
    Sep 6, 2001
    Messages:
    307
    Likes Received:
    0
    Trophy Points:
    16
    How are you using Sa-learn to feed spamassassin with spam?

    Michael
     
  7. bigj

    bigj Well-Known Member

    Joined:
    Aug 9, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Tucson,AZ
    I'm using Chirpy's MailScanner setup (www.configserver.com) so there is an option to run a report on all items marked as spam. I then run through them periodically and mark them as spam in large chunks.

    The stuff that makes it through to my mailbox I move to a folder called spam and then run sa-learn on those as one large bundle every week or so.

    --
    bigj
     
Loading...

Share This Page