Dear friends, I appreciate your support.
Yesterday at approximately 15:00 make some changes: - Add to SA skip_rbl_checks RBL 0 - Increase required_score from 3.5 to 5.0 Spam Statistics from yesterday were: Total messages: Ham: Spam: % Spam: ---------------------------------------------------------------------- 11656 5225 6431 55.17% Spam detection increased 1% compared to previous statistics Regarding whitelist_from these are the statistics: TOP HAM RULES FIRED ---------------------------------------------------------------------- RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM ---------------------------------------------------------------------- 22 USER_IN_WHITELIST 110 0.95 0.02 2.11 If I remove the entire configuration of SA whitelist_from improve 1% Additionally, the rules that are 100 points are created based on mass mailings that are identified as SPAM (advertising) but SA is not detected. Additionally I noticed that there are emails that should detect as SPAM (for example those of 100 points - Advertising) but not filtered. What could happen? What more could add or remove the configuration of the SA? I understand that there may be errors in the configuration of the SA and basically it is because I have not much experience is why I turn to the list to give me support and I am equally learn more about SA. Thanks Jose Luis > Date: Mon, 21 Sep 2009 19:36:24 -0400 > Subject: Re: Problems with high spam > From: aawo...@gmail.com > To: users@spamassassin.apache.org > > On Mon, Sep 21, 2009 at 11:34 AM, Martin Gregorie <mar...@gregorie.org> wrote: > > On Mon, 2009-09-21 at 09:58 -0500, Jose Luis Marin Perez wrote: > > > >> I will implement improvements in the configuration suggested and > >> observe the results, however, that more could be suggested to improve > >> my spam service? > >> > > I think you need to find out more about where your system resources are > > going. > > > > For starters, take a look at maillog (/var/log/maillog on my system) to > > check whether any SA child processes are timing out. If they are, you > > need to find out why processing those messages took so long and, if > > possible, speed that up, e.g. if RBL checks or domain name lookups are > > slow, consider running a local caching DNS. > > > > If that doesn't turn up anything obvious, use performance monitoring > > tools (sar, iostat, mpstat, etc) to see what is consuming the system > > resources: you have to know where and what the bottleneck(s) are before > > you can do anything about them. You can find these tools here: > > > > http://freshmeat.net/projects/sysstat/ > > > > if they aren't part of your distro's package repository. > > > > > > Martin > > > > > > > > Has there been any evidence that the OP's system is short on > resources? If so I missed it. > The complaint was that too much spam is making it past the filter, > with a detection rate of only 54%. > This is not a very good percentage for a typical mail flow (if it is > actually accurate, i.e. not missing the mails rejected by RBLs or > RFC/syntax checks). > > There were several issues with the configuration that kind people on > the list have pointed out. Assuming these suggested changes have been > implemented, what is the detection rate now? > > From the posted local.cf, it is evident that the SA configuration is > not working very well. There are many manually entered whitelist > rules, and also many manually added rules that score 100. This is a > telltale sign of a very bad setup that is attempting to bandaid > instead of fixing the core issue. And as pointed out before, both > the whitelist and the subject match -> 100 are very bad ideas. > Whitelisting the sender is so easily taken advantage of by spammers, > and those +100pts matches are sure to generate FPs. Using rules this > way demonstrates lack of understanding in the way that SA is supposed > to work. SA rules rarely attempt to kill a message in one shot (100 > pts), instead they add or subtract a small amount from the score based > on likelyhood that a match means spam or ham. Fine tuning, not > smashing with a hammer. > > So, I think it is pretty safe to assume that the problem lies within > the SA configuration. > > Maybe there are old rulesets that need to be updated. Maybe not a > good selection of rulesets in the first place. Perhaps this is an > "out of the box" configuration that has never been properly set up. > > There are many good guides to setting up SA and supporting services > available online. If the OP were to follow one of them to the letter, > I think the detection rate would be much improved. Also some time > spent learning more about SA in general would allow the OP to fine > tune his config so that the current manual effort put into creating > hammer smashing rules is unneeded. > > Good luck > -Aaron _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
