Thanks for the answers
> Subject: RE: Problems with high spam
> From: guent...@rudersport.de
> To: users@spamassassin.apache.org
> Date: Fri, 18 Sep 2009 23:45:22 +0200
>
> On Fri, 2009-09-18 at 16:13 -0500, Jose Luis Marin Perez wrote:
> > > > 512 MB Ram
> > >
> > > Ouch -- that server could go with some RAM, don't you think? No hard
> > > numbers, but given your 10k+ messages a day, I guess that's about the
> > > bare minimum.
> > >
> > > Oh, you mentioned yesterday running ClamAV, too. Yes, that is low. Hope
> > > you don't hit swap yet.
> >
> > For more than 10000 emails a day how much memory should be the server?
> > as one can calculate the amount of memory needed?
>
> That depends on mail spikes, processing times, how you call SA, other
> applications (like ClamAV), and whether or not you hit swap. You didn't
> answer that.
This server has just installed SpamAssassin and is called from another server
using Simscan (With Qmail + Vpopmail + ClamAV).
The average hourly emails scanned is approximately 500 but I imagine it must
be some hours where more emails coming.
Think increasing to 2 GB of RAM is enough?
>
>
> > > > skip_rbl_checks 1
> > >
> > > You *disabled* DNS BL checks. Enabling them should drastically improve
> > > results. You'd likely want a local, caching nameserver.
> >
> > In qmail-smtpd rblsmtpd option is used, is equivalent to DNS BL checks
> > of SpamAssassin?
>
> No. SA is a scoring system, no one rule can single-handedly flag a mail
> as spam. Instead, RBL hits contribute to the spam score. Also, there are
> more RBLs in SA than you use with rblsmtpd, each weighted based on
> effectiveness.
>
> But this part really seems familiar. Like, yesterday.
I will install DNS-Cache to work with RBL
>
>
> > > > required_hits 3
> > >
> > > Not a safe thing to do. That's severely lower than the default. Do
> > > expect FPs. If you find yourself in the need to lower the threshold that
> > > drastically, something else is wrong.
> >
> > Indeed this value was set to 5.0, but there were many SPAM emails so I
> > decided to lower it to 3.0, which do you recommend?
>
> The default. I do add third-party stuff, but I wouldn't lower the
> threshold like that. I know I'd get FPs.
I will change to required_hits 5.0
>
>
> > > *Lots* more snipped. If you need that much whitelisting, it indicates
> > > there is a problem -- in this case, my guess can be seen above. Your
> > > required_score threshold is too low, and thus you need to whitelist more
> > > and more legit senders...
> >
> > This configuration should implement the previous postmaster, if there
> > is the need to eliminate rest assured that I will.
> >
> > > Even worse, you are using the un-constrained variant. Do NOT do that,
> > > unless as a last resort. If you need whitelisting at all, do use at
> > > least the *_rcvd variant, if not the auth'ed ones.
> >
> > You mean the option whitelist_from_rcvd?
> >
> > > In particular: DO NOT whitelist_from your own domain! If you do, a *lot*
> > > of spam will sail right through. Spammers love to pretend sending from
> > > your domain.
>
> You did not get back to the "your own domains" part. If there are any,
> remove 'em. Now.
>
> Generally, there should rarely be the need to whitelist anything. That
> huge list shows that it was used in an attempt to cure a problem, that
> stems from other mis-configuration. Rather than just throwing more
> whitelisting at SA, you should investigate the actual cause.
>
> And yes, I was talking about whitelist_from_rcvd, or actually *any*
> whitelist_from_* if they apply. But don't use the plain, un-constrained
> whitelist_from, unless as a last resort.
>
> Also see the docs.
Voy analizar cada entrada de whitelist_from
>
>
> > > > header _LOCAL_I_HATE_VIAGRA Subject =~
> > > > /v.?[i1].?...@].?g.?[\@a]?.?r....@a]/i
> > > > describe _LOCAL_I_HATE_VIAGRA viagra
> > > > score _LOCAL_I_HATE_VIAGRA 100.0
> > >
> > > Funny. Can't even recall when the last spam like that got through. Do
> > > you really need such rules?
> >
> > I did it because many emails arriving with subject or body of the
> > message with the word VIAGRA
>
> That's a header rule. It does not match the body. Anyway, as I pointed
> out before, you'd better carefully check the rules hit, and investigate
> the real cause.
>
> These are generally high hitters. And the score suggests you are trying
> to counter a bad whitelist -- but I said that before. You should check
> *why* they might be slipping through, instead of assigning a ridiculous
> high score.
OK
>
>
> > > Maybe your Bayes is severely mis-trained? Or maybe you need that to
> > > counter the whitelist_from for pills spam pretending to be sent from
> > > your own domain. The score sure hints at that...
> >
> > As if well trained Bayes?
>
> Sorry, don't get that.
I meant if there a way to know if this learning Bayes correctly.
>
>
Some additional recommendations to improve my antispam system?
Thanks for your time and patience
Jose Luis
_________________________________________________________________
News, entertainment and everything you care about at Live.com. Get it now!
http://www.live.com/getstarted.aspx
