mattdm's questions

A lot of spam is getting through the filter on the mail server I run with the relatively simple trick of starting with few lines of (incredibly obvious) weight loss or other scam text at the top, followed by a larger body of text from programming documentation — or, most evil of all, text scraped from Stack Exchange. At best, Spamassassin regards this as BAYES_50, and it happens that the rest of the messages are constructed carefully enough that they don't hit other triggers. (For example, the headers are minimal and correct.) Often, the included excerpts align closely enough with my legitimate interests that the message overall is scored as BAYES_00, because the very spammy tokens are just overwhelmed by juicy nuggets of sysadmin problem-solving.

The top part is so obviously spammy (and in fact tends to be very similar to previously-received and trained as spam messages) that I'm kind of amazed that it's getting through — but clearly it is. It seems like a separate pass which scored the top 25 (or so) lines of the message and weighed that heavily would solve the problem. Is there a way to do this?

Several people have suggested writing custom regular expressions. I do not want to get into this, as this is a constant losing battle. It's what people did before Bayesian spam sorting came into widespread use, and it was generally terrible. No human can keep up. It's not much more effective than just hitting the delete key for each spam message, and a lot more work on my part.

Bayesian spam filtering works. It even works on this spam, if I split out the "above the fold" portion and just analyze that part, with the decoy / chaff removed. The question is: how can I get Spamassassin to do that?

In one of our compute clusters, we have systems with unique hardware resources to which access is controlled by device-file permissions. Each node has two or four of these, and multiple CPU cores. We'd like to be able to schedule different users' jobs on the same node and restrict access to the properly-assigned resources. (Some queues might even be CPU-only, with no access.)

For a while, we were running with a "hey, pay attention and play nice" policy, but that's hard for everyone to keep straight even with the best intentions. So instead we just schedule the entire node for a given user at a time. This is wasteful for single-threaded, single-process tasks.

With Torque, one can run a prologue script as root before the job starts. This could be made to set the device permissions appropriately. But we're running (née Sun) Grid Engine. That has per-queue prolog scripts, but they runs as the user to whom the job belongs (like Torque's prologue.user), which is no help here.

Is there something obvious I'm missing (I hope), or an alternate way to approach this? I realize that I have the source code and therefore can do anything, but I'm hoping there's a standard way I'm just missing.

Thanks!

NFSv3 is widespread, but the default security model is... quaint. CIFS can use Kerberos authentication, but without POSIX semantics it's a non-starter. AFS never did encrypt traffic on the wire and is krb4 — and basically a dead project. Fancy new experimental filesystems either never materialize or are focused on speed (and if you're lucky, data reliability) — for example, Lustre uses the same client-trust model as NFSv3. For home use, sshfs is nifty, but that sure doesn't scale.

And then of course there's NFSv4, with sec=krb5p. Great in theory, but after ten years, it seems to be troublingly unused in the real world. The Linux client has just now had the experimental tag removed. And if you look at EMC Celerra, Isilon, etc., it's all NFSv3. (Celerra supports NFSv4, but it's really buried in the documentation. Isilon apparently worked at adding the RPCGSS support to FreeBSD, so maybe it's coming, but it's not there now. ) I can't even tag this post as "nfsv4" because I'm new here and that'd be a new tag.

So, really. What are you all doing?