I'm running a reasonably small site-wide spamassassin, and I use a site-side bayes db. Spamassassin runs as the user spamd.
I noticed that I got spam last night with no BAYES_XX markup. I looked into it this morning, and discovered that the bayes db only has 47 spam messages in it (nspam from sa-learn --dump magic). It has about 69000 ham. It must have gone from >200 spams at around 11pm last night to <50 this morning, and the only explanation I can think of is that the spam has been expired, but on the other hand this seems odd. Spamassassin learnt 143 messages as spam yesterday (according to my logs). In the same period it learnt 291 as ham. These figures are reasonably representative of the traffic (on weekdays, anyway) Can anyone explain what happened to the bayes db? It's now steadily auto-learning itself back to normal, but we are going to get many more false negatives today I think. Any information/explanation appreciated. Chris PS I think it's extremely unlikely that there's been a concerted attack/mistake by users using sa-learn the wrong way and re-learning the spam as ham. For one thing, spamassassin is called by exim during the smtp phase, and if the e-mail is marked as spam it's never delivered to anyone. For another thing, there's nobody else around that knows what sa-learn is.
