On 05/29/2010 05:03 AM, Yves Goergen wrote:
>> Stepping away from the ZMI issue and headig towards the larger
>> picture, what kind of spam are you trying to nail down with this
>> ruleset? What goals did you hope to meet with the ZMI rules? If
>> it's a specific type of spam, can you pastebin an example so we
>> can help you more directly?
>
> I have submitted a couple of those spam messages to the ruleset
> maintainer, but I'm not sure if it helps. I can repost it here if
> you like to see it. (ZIP 48 kB)
If they're evading bayes and other filters, they might be worth a
look. I can take a look at them if you post them to pastebin.com or a
similar site and then send me links (this is the best way to avoid
spam filters on the list, etc).
>> Are you using Bayes? Are you training it?
>
> Yes. Yes. I'm only training it with spam messages though. I assume
> it autolearns all the rest. But the bayes filter is absolutely
> useless to me, it most often rates spam 0-1%, even for repeatedly
> learned spam messages. Maybe I should erase the bayes brain and
> restart from new?
Bayes won't work unless you have lots of both spam and ham. Autolearn
is apparently not doing its job if most of your spams hit 0-1%. Try
teaching it everything you have. If you're that out of whack, it
might be worthwhile to start from scratch as you suggested.
>> Most people who want to improve their deployment's SA filters
>> aren't properly utilizing the various plugins. Specifically,
>> DNSBLs, URIBLs, and Bayes, but also things like Razor2, DCC (if
>> legal), and Pyzor.
>
> The very most helpful plugin to me is Botnet. It detects most spam
> and rates 5 points which is often a big step towards rejection.
I've heard good things about Botnet, though most of its dynamic checks
appear to already be folded into SA's trunk (I've actually got some
detection rules in there that are more sophisticated but are not yet
done cooking).
That said, the dynamic detection bits like Botnet should pale in
comparison to any one of: DNSBLs, URIBLs, Bayes, Razor2, DCC, and
Pyzor. Almost every case I encounter with this sort of "help me make
SA filter better" ends up being a misconfiguration of some or all of
those things.
> Most other SA rules don't detect anything although I'm running
> sa-update daily and it reports an update every some weeks. Only the
> DNSBL rules apply every once in a while - at least to what is
> passing the filter. I haven't investigated what's been blocked
> successfully. I think I've still installed the Image Info thing
> plugin but I don't think it catches anything these days. Image spam
> seems to be over.
DNSBLs do a good job; you're probably not noticing them because
anything they nail gets hit pretty hard by several rules and thus
probably hits your "block" threshold.
Image spam comes and goes. Third party plugins like iXhash can help.
>> Upgrading to SA 3.3.1 would be a big step up if you're not there
>> already (if you can't, you might want to consider a back-port of
>> the better DNSBLs to SA 3.2.x like my khop-bl channel).
>
> I need to upgrade to SA 3.3, true. It's always been a hassle
> somewhere between CPAN, other disfunctional Perl junk, source code
> and Debian packages... It's a very complicated job. I'm also
> considering setting up the entire machine anew on Ubuntu basis and
> only use platform packages but that's not something I can do in the
> near future.
Messing with CPAN will work, but might feel daunting, especially if
you've never done it before. It also introduces an additional thing
to keep track of. For Debian, I recommend the volatile and backports
repositories. Go to www.backports.org and add lenny-backports, then
pin it to a low priority and un-pin spamassassin.
Package: *
Pin: release a=lenny-backports
Pin-Priority: 150
Package: spamassassin
Pin: release a=lenny-backports
Pin-Priority: 500
I've also got testing and unstable pinned even lower at 1 and -1, but
that's up to you. 500 is the default pin, 101-500 will upgrade a
manually-installed newer package if there is a candidate, 1-100 will
install candidates if higher pin versions are missing, and lower pins
are never installed. See the man page for apt_preferences for detail.
# apt-cache policy spamassassin
spamassassin:
Installed: 3.2.5-2+lenny1.1~volatile1
Candidate: 3.3.1-1~bpo50+1
Package pin: 3.3.1-1~bpo50+1
Version table:
3.3.1-1 500
1 http://debian.lcs.mit.edu/debian/ squeeze/main Packages
-1 http://debian.lcs.mit.edu/debian/ unstable/main Packages
3.3.1-1~bpo50+1 500
150 http://www.backports.org lenny-backports/main Packages
3.2.5-2+lenny2 500
500 http://debian.lcs.mit.edu/debian/ lenny/main Packages
3.2.5-2+lenny1.1~volatile1 500
500 http://volatile.debian.org lenny/volatile/main Packages
# aptitude install spamassassin
...
