On Sep 29, 2014, at 4:58 PM, Mark London <m...@psfc.mit.edu> wrote: > On 9/29/2014 12:58 PM, Mark London wrote: >> On 9/29/2014 4:21 AM, users-digest-h...@spamassassin.apache.org wrote: >>> >>> From: Lorenzo Thurman <lore...@thethurmans.com> >>> Date: 9/26/2014 10:59 PM >>> I’ve been using spamassasin for a number of years with excellent results. >>> But, now over the last month or so, it has been scoring spam very low. It >>> still catches most spam, but whereas only about a dozen or so might get >>> through to my inbox in a week, I’m suddenly getting a dozen or so a day. I >>> run sa-update via cron every dat and I have a special mail folder where I >>> place missed spam and run sa-learn against it weekly. I know its an arms >>> race out there fighting spam, but here some sample subject lines with SA's >>> scores that I think should be caught. I know spamassasin looks at a lot >>> more than subject lines, but Does anyone know what I can do to increase >>> spamassasin’s ability to detect spam? My threshold is set to 4.6. >>> >>> "Complete Our Survey, qualify for free-samples" 4.1 >>> "Re: Your Score-Changes on: 09/26/2014*" 2.9 >>> "Weird 30 second trick cURES Diabetes..” 4.1 >>> "Quality Window Replacement Deals” 4.4 >>> "Find a PhD degree online in the specialty field” 2.8 >>> "Your background check is Available online” 2.4 >>> "Perfect vision with one weird trick” 0.0 >> >> What are the From: addresses in those spam emails? We have been recently >> inundated from spam using domains such as .eu and .co The IP names that >> the spammers are using, are constantly changing, so that the URIBLs are not >> able to keep up with them. you've had to add customized rules that increases >> the spam scores, for emails from these and other domains, that are now >> popular with spammers. > > I meant to say "I've had to add...", not "you've had to add..." > > - Mark >
I looked at those emails again and tried to resolve the sender’s addresses (dig -x z.z.z.z). They don’t resolve to valid hostnames, which means they should even reach SA. Postfix should reject them outright. I’ve changed a couple of postfix’s reject_rbl_client settings, put a tail on its log and now I see many emails being rejected outright. So I’ll take this to the postfix lists. These are the changes I made: old sbl.spamhaus.org sbl-xbl.spamhaus.org new reject_rbl_client zen.spamhaus.ord reject_rbl_client dns.sorbd.net Thanks all.
