sender name same as recipient name

Sorry if this is a well-known issue... first I have encountered it.

I am using SA 3.1.9 installed on a CentOS Linux system.

One of my clients just noticed a huge spike in spam getting
through, even though SA is turned on for his email account at
sensitivity level 4.

For the sake of anonymity, let's say my client's domain is blah.com.

His address is mark@blah.com.  99% of the spam emails
he received during this spike were from mark@something.com
(where "something" represents various domains.)

Question: is SA not filtering out these obvious spams because
the name "mark" is the same as the name on my client's
account?

thanks,
Feral

On Mon, 24 Sep 2007, feral wrote:

> Question: is SA not filtering out these obvious spams because the
> name "mark" is the same as the name on my client's account?

That depends on the rules in use. If a rule like From ~= /mark\@/ with
a high negative score was defined, sure!

Would it be possible for you to post all of the headers from one of
his false negatives, so we can see what rules are hitting?

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@...    FALaholic #11174     pgpk -a jhardin@...
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Pelley: Will you pledge not to test a nuclear weapon?
  Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib!
              -- Teflon Mahmoud in a 60 Minutes interview (9/20/2007)
-----------------------------------------------------------------------
 244 days until the Mars Phoenix lander arrives at Mars

Hi, feral

2007/9/24, feral <jc@...>: Do you have a sample of these spams? Have you whitelisted something
like "marc@"?
Show us a sample of the sapmm y meesages, with all and headers, and
more could be told

Luis

--
-------------------------------------------------
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-------------------------------------------------

The only whitelist addresses I have defined for him
are my own email addresses, plus any address @blah.com.

Here are the headers & bodies of 3 of the spams that got through
(and are continuing to come through at a high rate):

Return-Path: <mark_perryman@hotmail.co.uk>
Delivered-To: 3-mark@blah.com
X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on
        localhost.localdomain
X-Spam-Level: *
X-Spam-Status: No, score=1.2 required=4.0 tests=BAYES_00,HELO_DYNAMIC_IPADDR2
        autolearn=no version=3.1.9
...
From: "mark" <mark@mhcable.com>
To: "mark" <mark@blah.com>
Subject: Anything goes down at these illegal.
Date: Mon, 24 Sep 2007 20:07:47 -0000
MIME-Version: 1.0
Content-Type: text/plain;
        format=flowed;
        charset="us-ascii";
        reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962

Here ONLY! Hot content! Galleries with HQ-photos and HD-DVD movies. Hurry up!
   http://himhz.com/fa
Join Now!

=======

Return-Path: <mark@dhcocpa.com>
Delivered-To: 3-mark@blah.com
X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on
        localhost.localdomain
X-Spam-Level: ***
X-Spam-Status: No, score=3.4 required=4.0 tests=BAYES_00,HELO_DYNAMIC_IPADDR2,
        HELO_DYNAMIC_SPLIT_IP autolearn=no version=3.1.9
...
From: "mark" <mark@dsgworld.com>
To: "mark" <mark@blah.com>
Subject: Gorgeous young hottie getting banged in her asshole
Date: Mon, 24 Sep 2007 18:23:29 -0100
MIME-Version: 1.0
Content-Type: text/plain;
        format=flowed;
        charset="us-ascii";
        reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
X-Antivirus: avast! (VPS 000776-0, 24/09/2007), Outbound message
X-Antivirus-Status: Clean

You have never seen this. Get inside and enjoy our models!
    http://jokhome.com/hp
Get Unlimited access now


=========

Return-Path: <mark@dhcocpa.com>
Delivered-To: 3-mark@blah.com
X-Spam-Checker-Version: SpamAssassin 3.1.9 (2007-02-13) on
        localhost.localdomain
X-Spam-Level:
X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16
        autolearn=no version=3.1.9
...
From: "mark" <mark@izzard2385.freeserve.co.uk>
To: "mark" <mark@blah.com>
Subject: Hot teen sluts double fuck of highest quality site...
Date: Mon, 24 Sep 2007 23:25:19 +0400
MIME-Version: 1.0
Content-Type: text/plain;
        format=flowed;
        charset="us-ascii";
        reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962

24 Hours a Day, 7 Days a Week, 365 Days a Year -We offer all our Porn content for you.
Check it:  http://jokhome.com/sb1
and get it today..

> plus any address @blah.com

This is an extremely ill-advised practice; spammers have tried using
@example.com addresses to send to example.com users for years. Hopefully
you're using whitelist_from_rcvd or checking authentication or similar
techniques.

Also, are you using network tests? Assuming your timestamps are accurate all
of these should have hit on one or more URIBL rules.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna

Dave Pooser wrote:

> plus any address @blah.com

This is an extremely ill-advised practice; spammers have tried using
@example.com addresses to send to example.com users for years. Hopefully
you're using whitelist_from_rcvd or checking authentication or similar
techniques.

Also, are you using network tests? Assuming your timestamps are accurate all
of these should have hit on one or more URIBL rules.
--
Dave Pooser

I am a newbie when it comes to SA settings.  I am using a Plesk interface and it doesn't go into this level of detail.  But I am shell savvy and can edit config files.

BUT... how could that 2nd spam example possibly get through with that subject line!!

How do I go about checking/setting:  whitelist_from_rcvd, network tests ?

thanks

On Mon, 24 Sep 2007, feral wrote:

> Here are the headers & bodies of 3 of the spams that got through
> (and are continuing to come through at a high rate):

> tests=BAYES_00,HELO_DYNAMIC_IPADDR2
> autolearn=no version=3.1.9

> tests=BAYES_00,HELO_DYNAMIC_IPADDR2,
> HELO_DYNAMIC_SPLIT_IP autolearn=no version=3.1.9

> X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16
> autolearn=no version=3.1.9

Observations:

(1) Hardly any rules are hitting.

(2) Everything is getting BAYES_00.

The very first thing to look at is your Bayes database. How are you
training it, and how has it gotten so badly mistrained? Are you using
a Bayes database that is global to all your clients, or per-user Bayes
databases? How are you training? Is the user actually responsible
training, and the problem is basically their own fault?

Can you run "sa-learn --dump magic" and send us the output?

As Dave said, do you have network tests disabled?

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@...    FALaholic #11174     pgpk -a jhardin@...
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Pelley: Will you pledge not to test a nuclear weapon?
  Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib!
              -- Teflon Mahmoud in a 60 Minutes interview (9/20/2007)
-----------------------------------------------------------------------
 244 days until the Mars Phoenix lander arrives at Mars

RE: training.  I don't know.  My experience w/ SA is that
it just works and I haven't dealt with it at this level yet.
What is strange is that SA appeared to be working fine
for my client, then all of the sudden this spike in spam
occurred... and as I said, 99% of the spams have the
sender name same as recipient name (see original post).

Below is the result of sa-learn -D --dump magic.  I see
that "bayes: no dbs present" ... that looks bad.  Maybe
this SA was not installed properly.  Thanks for your help.

[24475] dbg: logger: adding facilities: all
[24475] dbg: logger: logging level is DBG
[24475] dbg: generic: SpamAssassin version 3.1.9
[24475] dbg: config: score set 0 chosen.
[24475] dbg: util: running in taint mode? yes
[24475] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH
[24475] dbg: util: PATH included '/sbin', keeping
[24475] dbg: util: PATH included '/bin', keeping
[24475] dbg: util: PATH included '/usr/local/sbin', keeping
[24475] dbg: util: PATH included '/usr/local/bin', keeping
[24475] dbg: util: PATH included '/sbin', keeping
[24475] dbg: util: PATH included '/bin', keeping
[24475] dbg: util: PATH included '/usr/sbin', keeping
[24475] dbg: util: PATH included '/usr/bin', keeping
[24475] dbg: util: PATH included '/usr/X11R6/bin', keeping
[24475] dbg: util: PATH included '/root/bin', which doesn't exist, dropping
[24475] dbg: util: final PATH set to: /sbin:/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin
[24475] dbg: message: ---- MIME PARSER START ----
[24475] dbg: message: main message type: text/plain
[24475] dbg: message: parsing normal part
[24475] dbg: message: added part, type: text/plain
[24475] dbg: message: ---- MIME PARSER END ----
[24475] dbg: dns: is Net::DNS::Resolver available? yes
[24475] dbg: dns: Net::DNS version: 0.48
[24475] dbg: config: using "/etc/mail/spamassassin" for site rules pre files
[24475] dbg: config: read file /etc/mail/spamassassin/init.pre
[24475] dbg: config: read file /etc/mail/spamassassin/v310.pre
[24475] dbg: config: read file /etc/mail/spamassassin/v312.pre
[24475] dbg: config: using "/var/lib/spamassassin/3.001009" for sys rules pre files
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org.pre
[24475] dbg: config: using "/var/lib/spamassassin/3.001009" for default rules dir
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org.cf
[24475] dbg: config: using "/etc/mail/spamassassin" for site rules dir
[24475] dbg: config: read file /etc/mail/spamassassin/local.cf
[24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::URIDNSBL from @INC
[24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x8bc694c)
[24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::Hashcash from @INC
[24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::Hashcash=HASH(0x8b86890)
[24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::SPF from @INC
[24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::SPF=HASH(0x8c060b4)
[24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::Pyzor from @INC
[24475] dbg: pyzor: network tests on, attempting Pyzor
[24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::Pyzor=HASH(0x8c1fed0)
[24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC
[24475] dbg: razor2: razor2 is not available
[24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x8c3db44)
[24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC
[24475] dbg: reporter: network tests on, attempting SpamCop
[24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x8cbbc20)
[24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::AWL from @INC
[24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::AWL=HASH(0x8cde6ec)
[24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::AutoLearnThreshold from @INC
[24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::AutoLearnThreshold=HASH(0x8ce8e2c)
[24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::WhiteListSubject from @INC
[24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::WhiteListSubject=HASH(0x8cec704)
[24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::MIMEHeader from @INC
[24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::MIMEHeader=HASH(0x8cff50c)
[24475] dbg: plugin: loading Mail::SpamAssassin::Plugin::ReplaceTags from @INC
[24475] dbg: plugin: registered Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x8cf5c58)
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/empty.pre
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/empty.pre" for included file
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/10_misc.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/10_misc.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/10_misc.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_advance_fee.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_advance_fee.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_advance_fee.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_anti_ratware.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_anti_ratware.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_anti_ratware.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_body_tests.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_body_tests.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_body_tests.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_compensate.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_compensate.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_compensate.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_dnsbl_tests.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_dnsbl_tests.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_dnsbl_tests.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_drugs.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_drugs.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_drugs.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_fake_helo_tests.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_fake_helo_tests.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_fake_helo_tests.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_head_tests.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_head_tests.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_head_tests.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_html_tests.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_html_tests.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_html_tests.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_meta_tests.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_meta_tests.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_meta_tests.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_net_tests.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_net_tests.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_net_tests.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_phrases.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_phrases.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_phrases.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_porn.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_porn.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_porn.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_ratware.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_ratware.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_ratware.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_uri_tests.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/20_uri_tests.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/20_uri_tests.cf
[24475] dbg: config: adding redirector regex: /^http:\/\/chkpt\.zdnet\.com\/chkpt\/\w+\/(.*)$/i
[24475] dbg: config: adding redirector regex: /^http:\/\/www(?:\d+)?\.nate\.com\/r\/\w+\/(.*)$/i
[24475] dbg: config: adding redirector regex: /^http:\/\/.+\.gov\/(?:.*\/)?externalLink\.jhtml\?.*url=(.*?)(?:&.*)?$/i
[24475] dbg: config: adding redirector regex: /^http:\/\/redir\.internet\.com\/.+?\/.+?\/(.*)$/i
[24475] dbg: config: adding redirector regex: /^http:\/\/(?:.*?\.)?adtech\.de\/.*(?:;|\|)link=(.*?)(?:;|$)/i
[24475] dbg: config: adding redirector regex: m'^http.*?/redirect\.php\?.*(?<=[?&])goto=(.*?)(?:$|[&#])'i
[24475] dbg: config: adding redirector regex: m'^https?:/*(?:[^/]+\.)?emf\d\.com/r\.cfm.*?&r=(.*)'i
[24475] dbg: config: adding redirector regex: m'/(?:index.php)?\?.*(?<=[?&])URL=(.*?)(?:$|[&#])'i
[24475] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/url\?.*?(?<=[?&])q=(.*?)(?:$|[&#])'i
[24475] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])site:(.*?)(?:$|%20|[\s+&#])'i
[24475] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/search\?.*?(?<=[?&])q=[^&]*?(?<=%20|..[=+\s])(?:"|%22)(.*?)(?:$|%22|["\s+&#])'i
[24475] dbg: config: adding redirector regex: m'^http:/*(?:\w+\.)?google(?:\.\w{2,3}){1,2}/translate\?.*?(?<=[?&])u=(.*?)(?:$|[&#])'i
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/23_bayes.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/23_bayes.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/23_bayes.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_accessdb.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_accessdb.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_accessdb.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_antivirus.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_antivirus.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_antivirus.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_body_tests_es.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_body_tests_es.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_body_tests_es.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_body_tests_pl.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_body_tests_pl.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_body_tests_pl.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_dcc.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_dcc.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_dcc.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_dkim.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_dkim.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_dkim.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_domainkeys.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_domainkeys.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_domainkeys.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_hashcash.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_hashcash.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_hashcash.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_pyzor.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_pyzor.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_pyzor.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_razor2.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_razor2.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_razor2.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_replace.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_replace.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_replace.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_spf.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_spf.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_spf.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_textcat.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_textcat.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_textcat.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_uribl.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/25_uribl.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/25_uribl.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_de.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_de.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_de.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_fr.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_fr.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_fr.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_nl.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_nl.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_nl.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_pl.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_pl.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_pl.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_pt_br.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_pt_br.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/30_text_pt_br.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/50_scores.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/50_scores.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/50_scores.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/60_awl.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/60_awl.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/60_awl.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist_dk.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist_dk.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist_dk.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist_dkim.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist_dkim.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist_dkim.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist_spf.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist_spf.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist_spf.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist_subject.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist_subject.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/60_whitelist_subject.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/70_iadb.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/70_iadb.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/70_iadb.cf
[24475] dbg: plugin: fixed relative path: /var/lib/spamassassin/3.001009/updates_spamassassin_org/80_additional.cf
[24475] dbg: config: using "/var/lib/spamassassin/3.001009/updates_spamassassin_org/80_additional.cf" for included file
[24475] dbg: config: read file /var/lib/spamassassin/3.001009/updates_spamassassin_org/80_additional.cf
[24475] dbg: plugin: Mail::SpamAssassin::Plugin::ReplaceTags=HASH(0x8cf5c58) implements 'finish_parsing_end'
[24475] dbg: replacetags: replacing tags
[24475] dbg: replacetags: done replacing tags
[24475] dbg: bayes: no dbs present, cannot tie DB R/O: /root/.spamassassin/bayes_toks
[24475] dbg: config: score set 1 chosen.
[24475] dbg: bayes: no dbs present, cannot tie DB R/O: /root/.spamassassin/bayes_toks
ERROR: Bayes dump returned an error, please re-run with -D for more information

> RE: training.  I don't know.  My experience w/ SA is that
> it just works and I haven't dealt with it at this level yet.
> What is strange is that SA appeared to be working fine
> for my client, then all of the sudden this spike in spam
> occurred... and as I said, 99% of the spams have the
> sender name same as recipient name (see original post).
>


As Dave said it seems that your problem in whitelist configuration. Please use whitelist_from_rcvd instead of whatever you are using.


Leon Kolchinsky

On Mon, 24 Sep 2007, feral wrote:

> [24475] dbg: bayes: no dbs present, cannot tie DB R/O:
> /root/.spamassassin/bayes_toks
> [24475] dbg: config: score set 1 chosen.
> [24475] dbg: bayes: no dbs present, cannot tie DB R/O:
> /root/.spamassassin/bayes_toks

This doesn't look like global bayes, and I don't use per-user so my
advice may be a little inaccurate...

Is there a .spamassassin subdirectory in that user's home directory?
Does it have bayes_* files?

If so, log in as that user (e.g. "su - mark") and run "sa_learn --dump
magic" and see what the ham/spam token balance looks like.

You should try to find out how bayes is being trained. I still think
your problem stems (at least partly) from badly mistrained bayes.

As others have suggested, make sure you are *not* using
"whitelist_from". That particular option is a last-resort fallback
option because it's so easy to bypass through forgery. However, as the
header samples you posted did not say a whitelist rule was hitting,
and the scores were not large and negative, that's probably not a
cause of this particular problem.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@...    FALaholic #11174     pgpk -a jhardin@...
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Pelley: Will you pledge not to test a nuclear weapon?
  Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib!
                   -- Mahmoud Ahmadeinejad clumsily dodges a question
                                    (60 minutes interview, 9/20/2007)
-----------------------------------------------------------------------
 243 days until the Mars Phoenix lander arrives at Mars

On Tue, 25 Sep 2007, Leon Kolchinsky wrote:

> As Dave said it seems that your problem in whitelist
> configuration. Please use whitelist_from_rcvd instead of whatever
> you are using.

How so? The samples he posted did not say that whitelist rules were
hitting.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@...    FALaholic #11174     pgpk -a jhardin@...
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Pelley: Will you pledge not to test a nuclear weapon?
  Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib!
                   -- Mahmoud Ahmadeinejad clumsily dodges a question
                                    (60 minutes interview, 9/20/2007)
-----------------------------------------------------------------------
 243 days until the Mars Phoenix lander arrives at Mars

John D. Hardin wrote:

On Mon, 24 Sep 2007, feral wrote:

> RE: training.  I don't know.  My experience w/ SA is that
> it just works and I haven't dealt with it at this level yet.
> What is strange is that SA appeared to be working fine
> for my client, then all of the sudden this spike in spam
> occurred... and as I said, 99% of the spams have the
> sender name same as recipient name (see original post).
>
> Below is the result of sa-learn -D --dump magic.  I see
> that "bayes: no dbs present" ... that looks bad.  Maybe
> this SA was not installed properly.  Thanks for your help.

> [24475] dbg: bayes: no dbs present, cannot tie DB R/O:
> /root/.spamassassin/bayes_toks
> [24475] dbg: config: score set 1 chosen.
> [24475] dbg: bayes: no dbs present, cannot tie DB R/O:
> /root/.spamassassin/bayes_toks

This doesn't look like global bayes, and I don't use per-user so my
advice may be a little inaccurate...

Is there a .spamassassin subdirectory in that user's home directory?
Does it have bayes_* files?

If so, log in as that user (e.g. "su - mark") and run "sa_learn --dump
magic" and see what the ham/spam token balance looks like.

You should try to find out how bayes is being trained. I still think
your problem stems (at least partly) from badly mistrained bayes.

As others have suggested, make sure you are *not* using
"whitelist_from". That particular option is a last-resort fallback
option because it's so easy to bypass through forgery. However, as the
header samples you posted did not say a whitelist rule was hitting,
and the scores were not large and negative, that's probably not a
cause of this particular problem.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/

There is a .spamassassin subdirectory, but it doesn't have anything in it.
I suspect that SA was not installed properly on this server.  I am using
a VPS with Plesk and per-user preferences is selected, so I should be
able to configure SA on a per-user basis.  I'm going to bug my server
provider for help on this... it's their responsibility to properly install SA.

Whatever the case, global bayes or not, or even bayes or not, how could
an email with the obvious porn words in the subject (as in my examples)
NOT get flagged?

thanks
JC

On Tue, 25 Sep 2007, feral wrote:

> Whatever the case, global bayes or not, or even bayes or not, how
> could an email with the obvious porn words in the subject (as in
> my examples) NOT get flagged?

If bayes was mistrained to consider such words hammy, then BAYES_00
could drag the score back down below the threshold, cancelling out the
points added by HOT_NASTY and PORN_16.

One response would be to make the HOT_NASTY and PORN_16 rules "poison
pills" by raising their scores well above the threshold (i.e. to 20 or
30 or even 100) - but you would have to *really trust* those rules to
do that.

And I note that those rules didn't even hit on your first two
examples.

Both of the domains in those spams are listed in SURBL (but may not
have been at the time you received them). URIBL network tests probably
would have hit.

So it looks to me like two major problems are present:

1) mistrained bayes

2) no network tests occurring (DNS RBLs, URI BLs, razor, etc.)

And possibly:

3) not enough rules - add some from SARE?
http://www.rulesemporium.com

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@...    FALaholic #11174     pgpk -a jhardin@...
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Pelley: Will you pledge not to test a nuclear weapon?
  Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib!
                   -- Mahmoud Ahmadeinejad clumsily dodges a question
                                    (60 minutes interview, 9/20/2007)
-----------------------------------------------------------------------
 243 days until the Mars Phoenix lander arrives at Mars

John D. Hardin wrote:

On Tue, 25 Sep 2007, feral wrote:

> Whatever the case, global bayes or not, or even bayes or not, how
> could an email with the obvious porn words in the subject (as in
> my examples) NOT get flagged?

If bayes was mistrained to consider such words hammy, then BAYES_00
could drag the score back down below the threshold, cancelling out the
points added by HOT_NASTY and PORN_16.

One response would be to make the HOT_NASTY and PORN_16 rules "poison
pills" by raising their scores well above the threshold (i.e. to 20 or
30 or even 100) - but you would have to *really trust* those rules to
do that.

And I note that those rules didn't even hit on your first two
examples.

Both of the domains in those spams are listed in SURBL (but may not
have been at the time you received them). URIBL network tests probably
would have hit.

So it looks to me like two major problems are present:

1) mistrained bayes

2) no network tests occurring (DNS RBLs, URI BLs, razor, etc.)

And possibly:

3) not enough rules - add some from SARE?
http://www.rulesemporium.com

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/

X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16
        autolearn=no version=3.1.9

So BAYES_00 brought the score down to negative .6 ?  Methinks the BAYES is not
even functional (database absent).

How do I enable network tests?

thanks

John D. Hardin wrote:
X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16
        autolearn=no version=3.1.9

So BAYES_00 brought the score down to negative .6 ?  Methinks the BAYES is
not
even functional (database absent).

How do I enable network tests?

thanks
--
View this message in context: http://www.nabble.com/sender-name-same-as-recipient-name-tf4511807.html#a12885647
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

On Tue, 2007-09-25 at 11:38 -0700, feral wrote:
basically, ensure it can resolve DNS.  You can force it with

dns_available yes
use_bayes_rules
If you want to turn bayes off:

use_bayes 0
or maybe:
use_bayes_rules 0 (if you want it to attempt to continue to update the
bayes database)



>
> thanks
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com

On Tue, 25 Sep 2007, feral wrote:

> X-Spam-Status: No, score=-0.6 required=4.0 tests=BAYES_00,HOT_NASTY,PORN_16
>         autolearn=no version=3.1.9
>
> So BAYES_00 brought the score down to negative .6 ?

Probably.

> Methinks the BAYES is not even functional (database absent).

It wouldn't give you BAYES_00 (high confidence ham) if that were the
case. You'd either see BAYES_50 or no BAYES_* hits at all.
 
> How do I enable network tests?

They should be enabled by default, you explicitly DISable them.

Look for the command line that starts SA. If "-L" or "--local"  
appears, network tests have been disabled.

You may be able to check this using "ps -fax" to see what the
currently-running SA instance has for its command line.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@...    FALaholic #11174     pgpk -a jhardin@...
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Pelley: Will you pledge not to test a nuclear weapon?
  Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib!
                   -- Mahmoud Ahmadeinejad clumsily dodges a question
                                    (60 minutes interview, 9/20/2007)
-----------------------------------------------------------------------
 243 days until the Mars Phoenix lander arrives at Mars

On Tue, 25 Sep 2007, feral wrote:

> How do I enable network tests?

...and make sure your DNS on that box is configured and working, and
you will probably want to install a local caching DNS server as well.

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhardin@...    FALaholic #11174     pgpk -a jhardin@...
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Pelley: Will you pledge not to test a nuclear weapon?
  Ahmadeinejad: CIA! Secret prison in Europe! Abu Ghraib!
                   -- Mahmoud Ahmadeinejad clumsily dodges a question
                                    (60 minutes interview, 9/20/2007)
-----------------------------------------------------------------------
 243 days until the Mars Phoenix lander arrives at Mars

Hmmm... deepest thread here w/ John Hardin somehow got
broken... nabble hiccup?

So I am posting response here:

Daniel McDonald wrote:

basically, ensure it can resolve DNS.  You can force it with

dns_available yes
use_bayes_rules
If you want to turn bayes off:

use_bayes 0
or maybe:
use_bayes_rules 0 (if you want it to attempt to continue to update the
bayes database)

Where is this configuration file?

John Hardin wrote:

 
> > How do I enable network tests?

They should be enabled by default, you explicitly DISable them.

Look for the command line that starts SA. If "-L" or "--local"  
appears, network tests have been disabled.

You may be able to check this using "ps -fax" to see what the
currently-running SA instance has for its command line.

/usr/bin/spamd --username=popuser --daemonize --nouser-config --helper-home-dir=/var/qmail --max-children 1 --create-prefs --virtual-config-dir=/var/qmail/mailnames/%d/%l/.spamassassin --pidfile=/var/run/spamd/spamd_full.pid --socketpath=/tmp/spamd_full.sock

Evan Platt wrote:

Edit your spamd start-up script, or start-up options file (depending on which OS you're running, these may be different). There should be a -L or --local switch in that file. Remove it to enable network tests. "

What are the file names?

thanks

On Tue, 2007-09-25 at 12:15 -0700, feral wrote: [...]
> Where is this configuration file?

On my box, /etc/mail/spamassassin/local.cf

but if /etc/resolv.conf doesn't have any dns servers, it won't work anyway...