I would appreciate any guidance that you feel would make my SA setup
stronger. These types of messages (attached) keep squeaking through...
is my setup weak or have I broken something? To the layman's eye, they
look pretty spammy.
I am running v3.0.2 and I just went through all the SARE updates about
2 weeks ago, but these messages still score under my 4.5 threshold for
spam. In my setup they score as follows:
From my experience, the two best ways to catch spam with SpamAssassin:
1. A thoroughly trained Bayes database. Feed the messages to it, and watch
them get caught! I see at least the first message had a Bayes score of 0.
There's your culprit right there!
2. Collaborative databases like Razor and Pyzor. I'll bet either one
would've caught those messages.
Spammers learn too quickly from the SARE rules for them to be truly
effective - after a while, they become edge cases, not the norm. The Spamcop
top 200 list is nice, but I rarely see spam come from the same source
twice - I ran a test one weekend where I fed all the dictionary-attack spam
that a certain domain I host received (and it gets a LOT of dictionary
attack spam) into a homebrew RBL. It listed thousands of IPs, not a single
one of which made more than one SMTP connection (therefore the homebrew RBL
was a total bust). But, there's not much they can do against the mighty
power of Bayes and Razor.
You might also investigate using RBLs at the SMTP level, as long as you
trust them to be accurate. I use the SBL and XBL lists from Spamhaus, and
have never once heard a legitimate complaint about them creating false
positives (and that's at three different providers over 4-5 years). I also
use the bogusmx and DSN lists from rfc-ignorant.org; you're running a higher
risk of causing false positives (but honestly, any false positives you see
should simply be addressed with the admin of the responsible network,
because they're just being stupid), but you're also going to catch quite a
bit of spam.
