Daniel, thanks for the quick reply. I'll reply inline, below.
On 4/16/2013 5:01 PM, Daniel McDonald wrote:
>
>
>
> On 4/16/13 2:59 PM, "Ben Johnson" <b...@indietorrent.org> wrote:
>
>> Are there any normal circumstances under which Bayes tests are not run?
> Yes, if USE_BAYES = 0 is included in the local.cf file.
I checked in /etc/spamassassin/local.cf, and find the following:
use_bayes 1
So, that seems not to be the issue.
>>
>> If not, are there circumstances under which Bayes tests are run but
>> their results are not included in the message headers? (I have tag_level
>> set to -999, so SA headers are always added.)
>
> That sounds like an amavisd command, you may want to check in
> ~amavisd/.spamassassin/user_prefs as well....
I checked in the equivalent path on my system
(/var/lib/amavis/.spamassassin/user_prefs) and the entire file is
commented-out. So, that seems not to be the issue, either.
Is there anything else that would cause Bayes tests not be performed? I
ask because other types of tests are disabled automatically under
certain circumstances (e.g., network tests), and I'm wondering if there
is some obscure combination of factors that causes Bayes tests not to be
performed.
>>
>> Likewise, for the vast majority of spam messages that slip-through, I
>> see no evidence of Pyzor or Razor2 activity. I have heretofore assumed
>> that this observation indicates that the network tests were performed,
>> but did not contribute to the SA score. Is this assumption valid?
> Yes.
Okay, very good.
It occurred to me that perhaps the Pyzor and/or Razor2 tests are
timing-out (both timeouts are set to 15 seconds) some percentage of the
time, which may explain why these tests do not contribute to a given
message's score.
That's why I asked about forcing the results into the SA header.
>>
>> Also, is there some means by which to *force* Pyzor and Razor2 scores to
>> be added to the SA header, even if they did not contribute to the score?
>
> I imagine you would want something like this:
>
> full RAZOR2_CF_RANGE_0_50 eval:check_razor2_range('','0','50')
> tflags RAZOR2_CF_RANGE_0_50 net
> reuse RAZOR2_CF_RANGE_0_50
> describe RAZOR2_CF_RANGE_0_50 Razor2 gives confidence level under 50%
> score RAZOR2_CF_RANGE_0_50 0.01
>
> full RAZOR2_CF_RANGE_E4_0_50 eval:check_razor2_range('4','0','50')
> tflags RAZOR2_CF_RANGE_E4_0_50 net
> reuse RAZOR2_CF_RANGE_E4_0_50
> describe RAZOR2_CF_RANGE_E4_0_50 Razor2 gives engine 4 confidence level
> below 50%
> score RAZOR2_CF_RANGE_E4_0_50 0.01
>
> full RAZOR2_CF_RANGE_E8_0_50 eval:check_razor2_range('8','0','50')
> tflags RAZOR2_CF_RANGE_E8_0_50 net
> reuse RAZOR2_CF_RANGE_E8_0_50
> describe RAZOR2_CF_RANGE_E8_0_50 Razor2 gives engine 8 confidence level
> below 50%
> score RAZOR2_CF_RANGE_E8_0_50 0.01
This seems to work brilliantly. I can't thank you enough; I never would
have figured this out.
Ideally, using the above directives will tell us whether we're
experiencing timeouts, or these spam messages are simply not in the
Pyzor or Razor2 databases.
Off the top of your head, do you happen to know what will happen if one
or both of the Pyzor/Razor2 tests timeout? Will some indication that the
tests were at least *started* still be added to the SA header?
>>
>> To refresh folks' memories, we have verified that Bayes is setup
>> correctly (database was wiped and now training is done manually and is
>> supervised), and that network tests are being performed when messages
>> are scanned.
>>
>> Thanks for sticking with me through all of this, guys!
>>
>> -Ben
>
Thanks again, Daniel!
-Ben
