On 10/12/2013 09:26 AM, Stan Hoeppner wrote: > These two rules are adding 4.0 pts [...] > Content analysis details: (4.8 points, 4.2 required) > pts rule name description > ---- --------------------------------------------------------------------- > 2.8 FSL_HELO_BARE_IP_2 FSL_HELO_BARE_IP_2 > 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO > 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% > [score: 0.5314]
The others have addressed the "two rules" you mentioned, so I'll leave that alone in this email. There's more here than that: If you're using Bayes, you have to train it. Right now, it's hurting you: Those 0.8 points should be some negative value, perhaps -1.9 or -0.5 (the default scores for BAYES_00 and BAYES_05), which would then have made that message score 2.1 or 3.5, both of which are below your 4.2 threshold (which is already too low!). On that threshold: there are better ways to nail more spam than lowering the threshold. SpamAssassin is highly tuned for 5.0 and while it's safe to bump that threshold up (more conservative, e.g. I block at 8.0 and flag at 5.0), it is not as safe to pull it down. Better way #1: plugins. Razor2, Pyzor, DCC. Decently drop-in (though DCC isn't as easy as it once was). Better way #2: Bayes. Set it up to facilitate better training. Create "learn-spam" and "learn-nonspam" folders for each user and run cron jobs that run sa-learn (or better, spamassassin -r so you can learn and report them) and then empty the folders. Once you can trust Bayes, you can increase the magnitude of its scores. Do this slowly and carefully. Better way #3: AWL. This is now disabled by default, in part due to misunderstandings (it is horribly named; it's as much a black list as it is a white list, and it's not as "persistent" as its storage model purports). This nudges a sender's mail towards its previous average score. Set it up site-wide, /not/ per-user, and start it with a low factor (say 0.1) until you can trust it, slowly increasing it up to 0.5 (you can go higher, but I wouldn't go too much higher; I use 0.333). Keep in mind that AWL doesn't clean up after itself the way Bayes does, so the DB will grow over time. There are limited guides online for how to prune it. > Received: from bendel.debian.org (bendel.debian.org [82.195.75.100]) > by greer.hardwarefreak.com (Postfix) with ESMTP id C95BD6C0CE > for <s...@hardwarefreak.com>; Sat, 12 Oct 2013 10:23:37 -0500 (CDT) > [...] > X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on bendel.debian.org > X-Spam-Level: > X-Spam-Status: No, score=-9.6 required=4.0 tests=FOURLA,FREEMAIL_FROM, > LDOSUBSCRIBER,LDO_WHITELIST,RCVD_NUMERIC_HELO,T_RP_MATCHES_RCVD, > T_TO_NO_BRKTS_FREEMAIL autolearn=unavailable version=3.3.2 > [...] > X-Amavis-Spam-Status: No, score=-5.735 tagged_above=-10000 required=5.3 > tests=[BAYES_00=-2, FOURLA=0.1, FREEMAIL_FROM=0.001, LDO_WHITELIST=-5, > RCVD_IN_DNSWL_NONE=-0.0001, RCVD_NUMERIC_HELO=1.164, > T_RP_MATCHES_RCVD=-0.01, T_TO_NO_BRKTS_FREEMAIL=0.01] autolearn=ham Another option is to trust Debian's SA instance. You can add 82.195.75.100 to trusted_networks in your local.cf. Be careful, this would mean inheriting some of Debian's false negatives.
signature.asc
Description: OpenPGP digital signature
