Plesk SpamAssassin or 4PSA Spam Guardian?

[justyxxxx]

oh - that really sucks. At least I know who to blame in this instance - ME. I wasn't even looking while I was backing up - I was trying to stare (ok - undress) someone getting into a car all the while backing up. HA. And hell, I guess I got their attention then. LOL.

And then I checked the mail and got in a Netflix movie and the thing was broken. DANG!

I wonder what will be next . . .

 

[justyxxxx]

Just an update - it appears that some older PSA Spam filter files were conflicting with the 4PSA Spam Filter - but 4PSA fixed it.

It's now running amazingly well - I'm very excited about 4PSA's spam filter. It's really very very good - much better than I'd originally hoped it would be.

 

[spaceout]

...

I've never used the PSA spam filter, so I wouldn't think that could be the problem on my box.

I have started using the IMAP junk_learn folder though, so I'm going to give that a little time to see if it helps the learning process. So far, I've been using it for almost a week and I don't see a noticable change yet.

 

[justyxxxx]

Look in the headers of your junk mail to see if any of them have lines beginning with RCVD_IN or any lines that say stuff like this email is in the blocklist, etc.

If it's not checking blocklists -then that's possibly the problem.

 

[spaceout]

I have seen a few that has "RCVD" but none yet that show specifically "RCVD_IN" or anything about a blocklist. I'll keep looking through them. Here is an example:

X-Spam-Status: Yes, score=6.1 required=6.0 tests=BAYES_50,INVALID_DATE, RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO,SARE_FROM_CAPS_MSN, SARE_SPEC_ROLEX autolearn=no version=3.0.2

And another:

X-Spam-Status: Yes, score=15.4 required=6.0 tests=BAYES_50,FORGED_MUA_OUTLOOK, MIME_BOUND_DD_DIGITS,MISSING_MIMEOLE,MSGID_SPAM_CAPS,RCVD_BY_IP, RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO autolearn=no version=3.0.2

 

[justyxxxx]

Nope - those aren't it. It'll look similar to this in some emails (note the word blocklist, spamcop, etc). If this isn't working, then you're missing out on, in my opinion, the real benefits of spam assassin. Mine is now working properly with the dns blocklists being checked and it's 98% or better detection, whereas before, it was very poor:

X-Spam-Level: **************
X-Spam-Status: Yes, score=14.1 required=2.0 tests=BAYES_95,
DNS_FROM_AHBL_RHSBL,HTML_80_90,HTML_IMAGE_RATIO_02,HTML_MESSAGE,
HTML_TEXT_AFTER_BODY,HTML_TEXT_AFTER_HTML,MIME_HTML_MOSTLY,
MPART_ALT_DIFF,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SBL,URIBL_JP_SURBL,
URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL autolearn=disabled
version=3.0.4
X-Spam-Report:
* 0.1 HTML_80_90 BODY: Message is 80% to 90% HTML
* 0.1 HTML_TEXT_AFTER_BODY BODY: HTML contains text after BODY close tag
* 0.0 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
* 0.0 HTML_TEXT_AFTER_HTML BODY: HTML contains text after HTML close tag
* 1.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
* [score: 0.9886]
* 0.1 MPART_ALT_DIFF BODY: HTML and text parts are different
* 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
* [Blocked - see <http://www.spamcop.net/bl.shtml?72.11.146.19>]
* 0.1 RCVD_IN_SBL RBL: Received via a relay in Spamhaus SBL
* [72.11.146.19 listed in sbl-xbl.spamhaus.org]
* 0.3 DNS_FROM_AHBL_RHSBL RBL: From: sender listed in dnsbl.ahbl.org
* 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
* [URIs: imglt.com celestialcom.com]
* 2.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
* [URIs: imglt.com celestialcom.com]
* 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
* [URIs: imglt.com celestialcom.com]
* 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
* [URIs: celestialcom.com]

 

[spaceout]

If that is not working on my server, can I add those blocklists in my "Enable MAPS Spam Protection" configuration in Plesk...or do I need to do it diffrently since I'm using the 4PSA product?

 

[justyxxxx]

You can - but I recommend tagging them instead because there's always a chance that good emails will be getting deleting by enabling it in MAPS. If you're not seeing some blocklists in the headers, contact 4PSA and they should be able to log into your server and correct the problem. You'll notice a tremendous difference once those are working . . . also, have them check and make sure that your main database's permissions are correct - just to be sure. My main two problems were that the main database permissions weren't correct and so it wasn't reading from it AND the DNS Blocklists queries weren't working. After that - presto - fabulous spam filtering.

 

[justyxxxx]

Also, have them disable auto-whitelists and autolearning. If you're manually training it, then you don't need these. It was just auto-learning a bunch of **** in mine and calling it ham.

 

[spaceout]

Thank you for the help...I feel like I'm heading in the right direction now!

 

[justyxxxx]

Here's a small FAQ that I did for 4PSA SpamGuardian (mine is Red Hat Enterprise 3):

I'd like to explain the things that you might want to check if yours isn't working well - gathered thru my conversations with support and/or some of my own observations:

1. See if autolearn and autowhitelist are disabled. It was auto'ing many bad emails. You can disable them yourself by adding the following two lines somewhere in the /etc/mail/spamassassin/local.cf file:

bayes_auto_learn 0
use_auto_whitelist 0

Then, restart spamd. If done correctly, the headers of emails should begin reporting that autolearn is disabled and you shouldn't be seeing any autowhitelist scores. You may also need to delete the autowhitelists by finding them using this command:

locate auto-whitelist

And then just delete the results that you find.


2. Stop spamd and run:

/usr/bin/spamd -u popuser -D -m 5 -x --virtual-config-dir=/var/qmail/mailnames/l --socketpath=/tmp/spamd_full.sock

And check to see if you see any errors. This is debug mode. Look for permission errors, etc. There was a database permission error in mine causing it to not be reading the bayes database.

3. Make sure that DNSBlocklists are enabled and scoring. You should see lines such as spamcop, RCVD_IN* and words such as blocklists in the headers of some emails. If you're not seeing them in any emails, then something is wrong. In my opinion, this is one of the biggest reasons why mine wasn't scoring SPAM very well. According to 4PSA, it was due to an older perl-Net-DNS file. Some say that enabling Blocklists slows down email a little, and perhaps it does - a very a little, but it hasn't been anything that has delayed my emails for over just a period of a few seconds in most instances. You can add MAPS to Plesk, but then you lose the ability to actually see the email that the blocklists are rejecting. I'd do it all in SpamAssassin - so make sure this feature is enabled and that you see the above words mentioned in some emails.

 

[spaceout]

Thanks for the advice. I have added sbl-xbl.spamhaus.org to the blocklists and it seems to have made a BIG difference so far.

I remember using the MAPS function in Plesk back in Plesk 5 and it never seemed to really work well so I never really paid much attention to the blacklists!

4PSA's SpamGuardian is also doing a little better now that I started using the junk_learn IMAP folder for training. I'll keep monitoring it closely for a couple more days to see what happens.

 

[justyxxxx]

If you're gonna go the MAPS route, then I'm not sure if you're aware of this or not, but you can add multiple entries with a semi-colon:

relays.ordb.org;bl.spamcop.net;sbl-xbl.spamhaus.org

Also - if you had the -Rt0 option in the psasmtp file, then you will probably need to re-add it since Plesk seems to remove this option when updating the MAPS, thus in some cases, slowing down sending of mail via the mail client.

 

[jamesyeeoc]

Originally posted by justyxxxx
If you're gonna go the MAPS route, then I'm not sure if you're aware of this or not, but you can add multiple entries with a semi-colon:

relays.ordb.org;bl.spamcop.net;sbl-xbl.spamhaus.org

Also - if you had the -Rt0 option in the psasmtp file, then you will probably need to re-add it since Plesk seems to remove this option when updating the MAPS, thus in some cases, slowing down sending of mail via the mail client.

I thought the use of semi-colons as separators was a bug and actually prevented rblsmptd to work properly, originally posted with the 7.5.2 release, supposedly fixed in 7.5.3 (my 7.5.3 test server does not use semi-colons). Reference this thread:

http://forums.sw-soft.com/showthread.php?threadid=26239&goto=nextnewest

Did they modify the rblsmtpd in 7.5.4?

 

[justyxxxx]

Originally posted by jamesyeeoc
I thought the use of semi-colons as separators was a bug and actually prevented rblsmptd to work properly, originally posted with the 7.5.2 release, supposedly fixed in 7.5.3 (my 7.5.3 test server does not use semi-colons). Reference this thread:

http://forums.sw-soft.com/showthread.php?threadid=26239&goto=nextnewest

Did they modify the rblsmtpd in 7.5.4?

Actually - I believe that I read that in the Control Panel Help file when I was in the MAPS area and it said that (from my memory - which can't always be trusted).

Also, it did seem to significantly cut down on spam when I had those three enabled and people were asking me - is that thing deleting the spam? So, yes - I believe that it does work with semi-colons - at least from my experience something was working when I enabled multiple MAPS sites.

 

[jamesyeeoc]

I agree that the use of MAPS servers can be effective, and I do use MAPS, but cannot get it to work with the semi-colon separator. As a test (to see any error messages) I run the command at a shell prompt:

# /usr/sbin/rblsmtpd -r sbl-xbl.spamhaus.org;smtp.dnsbl.sorbs.net /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

and get the error:

bash: smtp.dnsbl.sorbs.net: command not found

No matter what 2nd MAPS server I put. But if I change the semi-colon to <space>-r<space> like this:

# /usr/sbin/rblsmtpd -r sbl-xbl.spamhaus.org -r smtp.dnsbl.sorbs.net /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

Then it runs fine and does not give any error. This is what leads me to believe that the use of semi-colons is in error.

DOH! (I really need a vacation, my brain must be really slow lately) Unless they have changed the control panel to allow the admin to enter it with ; but then convert it before writing it to the /etc/xinetd.d/smtp_psa file (which was a bug in 7.5.2), but since then I've just manually edited the files, have not tried it again by the cp screen.... can you confirm this?

 

[justyxxxx]

I did it from the MAPS Control Panel and apparently they change it to spaces because my arguments look like this (I added the -Rt0 option). I added those for testing - but I'm removing all but the relays.ordb.org since I prefer the tag route:

server_args = -Rt0 /usr/sbin/rblsmtpd -r relays.ordb.org -r bl.spamcop.net -r sbl-xbl.spamhaus.org /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}

 

[jamesyeeoc]

That's what I thought, I know it was resolved in 7.5.3, but when it first appeared in 7.5.2 they didn't convert the ; to space -r space which caused many people problems...

Maybe I'll go back to using the GUI that I'm paying for and not using for many things

 

[sieb@]

I've had to stop using MAPs altogether because some of my clients (businesses) were on DSL lines where the whole subnet was getting blacklisted daily by Spamhaus.

 

[jamesyeeoc]

That is one of several reasons I do not use MAPS on all servers, just the ones where it does not cause more problems than good.