On 1/14/2013 2:49 PM, RW wrote:
> On Mon, 14 Jan 2013 13:24:55 -0500
> Ben Johnson wrote:
>
>
>> A clear pattern has emerged: the X-Spam-Status headers for very
>> obviously spammy messages never contain evidence that network tests
>> contributed to their SA scores.
>>
>> Ultimately, I need to know whether:
>>
>> a.) Network tests are not being run at all for these messages
>>
>> b.) Network tests are being run, but are failing in some way
>>
>> c.) Network tests are being run, and are succeeding, but return
>> responses that do not contribute to the messages' scores
>>
>> I've had a look at the log entries to which I link in my previous
>> message and I just need a little help interpreting the "dns" and
>> "async" messages.
>
> As I said before, it's not unusual for snowshoe spam to hit no net
> tests at all. Also obvious spam isn't any more likely to be in a
> blocklist than less obvious spam.
>
> However, try adding this to your SpamAssassin configuration, and
> restart the appropriate daemon:
>
> header RCVD_IN_HITALL eval:check_rbl('hitall-lastexternal',
> 'ipv4.fahq2.com.')
> tflags RCVD_IN_HITALL net
> score RCVD_IN_HITALL 0.001
>
>
> It should add a dns test that is hit for all mail delivered from an
> IPv4 address.
>
Thanks, RW.
I understand that snowshoe spam may not hit any net tests. I guess my
confusion is around what, exactly, classifies spam as "snowshoe".
Are most/all of the BL services hash-based? In other words, if a known
spam message was added yesterday, will it be considered "snowshoe" spam
if the spammer sends the same message today and changes only one
character within the body?
If so, then I guess the only remedy here is to focus on why Bayes seems
to perform so miserably. It must be a configuration issue, because I've
sa-learn-ed messages that are incredibly similar for two days now and
not only do their Bayes scores not change significantly, but sometimes
they decrease. And I have a hard time believing that one of my users is
sa-train-ing these messages as ham and negating my efforts.
I have ensured that the spam token count increases when I train these
messages. That said, I do notice that the token count does not *always*
change; sometimes, sa-learn reports "Learned tokens from 0 message(s) (1
message(s) examined)". Does this mean that all tokens from these
messages have already been learned, thereby making it pointless to
continue feeding them to sa-learn?
If I receive one more uncaught message about how some mom is angering
doctors by doing something crazy to her face, I'm going to hunt-down the
****er and rip her face OFF.
Finally, I added the test you supplied to my SA configuration, restarted
Amavis, and all messages appear to be tagged with RCVD_IN_HITALL=0.001.
Thanks for all your help,
-Ben
