giga328 <giga...@hotmail.com> writes: > After posting email by webmail interface, message is routed to our outgoing > SMTP server. It is scanned by spamd from SpamAssassin but it get low score. > Low score is from tests ALL_TRUSTED and/or BAYES_xx and/or AWL. > I'm not sure if we can remove webmail IP address from trusted networks > because we can get to much false positives by doing that (as we had in the > past). > For low scores BAYES_xx I have idea to lower default scores in cf. Any other > idea? > For AWL problem I have one question. If I understood right, AWL is based on > From address. Is it possible to fast change algorithm of AWL to be bases on > unique combination of From and To addresses? Or maybe on even complicated > Header-From, Header-To, Envelope-From, Envelope-To tuple? In that way AWL > will much better track habits of users.
The obvious solution is to ban your users from using Windows and change all the passwords :-) Or get stronger authentication for sending mail. But seriously: I don't think these mails should be hitting ALL_TRUSTED. Your web server did not really originate them, but received them from some other host over a webmail subsmission protocol that is really just like SMTP submission in function. So I think the web server should be adding a Received: header to show that, and that would enable spamassassin to look up the previous hop list in RBLs. If your users are sending slightly spammy mail normally, I think you'll have to work through that separately. Perhaps you may need to drop PBL/dialup type rules, or give them a pass when WEBMAIL_AUTHENTICATED_USER fires (you probably have to write that too). But using ALL_TRUSTED to give authenticated users effectively a free pass seems like asking for trouble, since given bots and compromises authenticated user != legitimate user. I would not mess with BAYES scores unless you can articulate why they are off. Some spam scores low on bayes, but that doesn't mean it isn't useful. I don't think moving the BAYES_00 scores towards 0 will help separate ham from spam in your case, and what you really need to do is differentially increase the score of spam relative to ham, not just increase it. AWL applies to the combination of sender and IP address. But, if the Received lines above are missing, then the IP address is probably the webmail server, and you're lumping all the user's mail in together. Or maybe AWL is previous hop and not last untrusted hop. Unfortunately legitimate users show up on different IP addresses, but what of course you really want to avoid is giving negative points to a spammer because they are using the same From: address. Thus a legit user on a new address won't get negative points for their previous mail. Your basic problem is that from the point of view of the mail system, previously reasonable users are starting to send spam, although perhaps From odd addresses. I would be tempted to write a new test USER_LOW_VOLUME that watches how much mail a particular user has sent and gives a few negative points, and maybe USER_HIGH_VOLUME that goes positive when volume limits are exceeded.
pgp1b3RydI4t2.pgp
Description: PGP signature
