Spam Admin wrote: > I've been running SA as our main inbound SMTP gateway in front of our > GroupWise system for about 18 months now. I process, filter, and quarantine > for the whole enterprise and do not offer individual user control. I use > postfix, amavisd, SA w/ Bayes, RDJ, Razor, some minimal SMTP-level RBLs, CA > anti-virus and sa-learn via IMAP. > > Last week I upgraded our system from SA v2.63 to v3.1; I am pleased at how > well the process went. However, I immediately began to see a lot of false > positives. Primarily, it seems that v3.1 has increased the BAYES_00 from -4 > to -2.599, and there are a lot of additional checks. With v2.63 I had our > kill_level set at 3.9; I found virtually zero false positives and low enough > false negatives to where the user community rarely barked (in fact, it's been > so successful that when a VP gets a *single* spam it's like the world has > come to an end...this, in an environment where we get 14M total SMTP > connections per year!) So, to temporarily resolve this, I bumped our > kill_level to 5.9 and am monitoring it; my false positives have pretty much > disappeared. Of course, I've seen a *slight* increase in fasle negatives > versus 2.63, so I'll be tuning. > > What I'd like to know from the SA group is where did you eventually end up in > terms of kill levels versus v2.63? Is a bump of two points about right? Did > you end up removing or adding SMTP-level RBLs and/or RDJs during the > transition? Any other changes I should consider? Our amount of spam has > increased DRAMATICALLY over the last 2-3 weeks, plus the processing times > within the box are going skyward (even on the secondary box still running > v2.63), so any advice is sincerely appreciated. > > Great work guys,
Realistically, every SA version is only tuned with consideration for what happens at the 5.0 score line. The 5.0 score level should yield approximately a 100:1 FN:FP ratio. The "linearity" of the FN:FP ratio at other scores varies considerably between versions. You can look at the summaries in STATISTICS.txt to get a feel for how a particular version scales. Another factor to consider is age. 2.63 was pretty old. You probably needed the low score threshold in order to catch a decent amount of spam, since most modern spam would quickly evade 2.63's rules. SA 3.1.0 has fresh rules, and doesn't need aggressive thresholds to catch modern spam.
