In the last 3 weeks or so , we have started receiving a ton of spam,
especially a lot of pharmeceutical adds and some other random nonsense.
However, Spamassassin isn't completely broken.. it is actually catching
some spam but it's letting a lot go. When I look at the headers in the
spam, I see SA is assigning rediculously low scores to the ones that are
getting through but normal scores to the ones it's stopping. Some of the
spam that is getting through is actually receving negative scores, which as
I understand it shouldn't even be possible unless the spam is whitelisted
somehow.
Here are the SA related headers for a couple of spams that are getting
through:
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at veritime.com
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail2
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=4.9 tests=BAYES_50,HTML_80_90,
HTML_MESSAGE,PORN_URL_SEX,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
UPPERCASE_25_50 autolearn=no version=3.0.2
X-Spam-Veritime: Valid
On the surface it does not appear broken. It appears this spammer is good at
what they do.
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at veritime.com
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail2
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=4.9 tests=BAYES_00 autolearn=ham
version=3.0.2
X-Spam-Veritime: Valid
On the surface it does not appear broken, but without a sample of the
message, it is impossible to say. It appears this spammer is very good at
what they do. This message definitely needs to be learned as spam since your
Bayes thinks it is ham, but it will take more than Bayes to get it over 4.9
points. Maybe your network test are timing out. This message fed through
spamassassin -tD < message
will check for that.
I find the DNS server used can have a big impact on network tests, and if
you are using something like your ISPs server, or your gateway/firewall, and
not a local server running a decent DNS server, that a local caching DNS
server can make a difference. I install bind9 and configure it a caching
only or forwarding server. This article (along with the bind9 manual) helps
get it installed on Debian:
http://www.falkotimme.com/howtos/perfect_setup_debian_sarge/index.php
http://www.bind9.net/manual/bind/9.2.4/Bv9ARM.html
As opposed to this one which is a spam message that SA caught:
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail2
X-Spam-Level: *************
X-Spam-Status: Yes, score=13.2 required=4.9 tests=BAYES_99,DIGEST_MULTIPLE,
DRUGS_ERECTILE,DRUG_DOSAGE,DRUG_ED_CAPS,HELO_DYNAMIC_IPADDR,
HTML_FONT_BIG,HTML_FONT_SIZE_LARGE,HTML_MESSAGE,HTML_SHOUTING5,
INVALID_DATE,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
UPPERCASE_25_50 autolearn=spam version=3.0.2
X-Spam-Veritime: Valid
X-Spam-Veritime-Spam: True
At this point i'm considering just wiping out spamassassin and
reinstalling it fresh and having it relearn all of the spam that we have
been saving for a while but it seems there must be a better solution.
Jeff
Maybe your Bayes could use help, but I kinda don't think wiping out and
reinstalling SA will make any difference, because it does not appear broken
to me. Does each user have their own Bayes files? If so, you might consider
configuring a bayes_path that points to a single database that can be
written to by all users. A single database has the advantage that it is a
collective knowledge.
I find that on 3.0.x, tweaking Bayes scores can help. This is not needed on
3.1
These are personally what I use on 3.0.x (and not any of these on 3.1):
score BAYES_00 -2.500
score BAYES_05 -2.000
score BAYES_20 -1.700
score BAYES_40 -0.600
score BAYES_60 1.000
score BAYES_80 1.900
score BAYES_95 2.500
score BAYES_99 3.000
score RAZOR2_CF_RANGE_51_100 0.500
score URIBL_WS_SURBL 2.000
score URIBL_PH_SURBL 2.500
score RCVD_IN_SORBS_HTTP 1.000
score RCVD_IN_SBL 1.000
score RCVD_IN_NJABL_PROXY 1.000
score RCVD_IN_SORBS_MISC 0.500
score RCVD_IN_BL_SPAMCOP_NET 2.000
score RCVD_IN_NJABL_SPAM 2.200
score HTML_WEB_BUGS 1.500
Consider studing the additional rule sets that may be of use for the
particular type of spam you are getting.
http://www.rulesemporium.com/
All additional rules will require SpamAssassin to do more work, so be
careful and only use the ones that appear to target the spam you are having
trouble with.
Gary V
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
