We have a user who has about a 50% missed rate on spam detection. I'm wondering if his user prefs or something is preventing scanning of all messages?
SpamAssassin version 3.4.1, running on Perl version 5.20.3, sendmail Version 8.15.2 The contents of the user_prefs file: # How many points before a mail is considered spam. # required_score 5 # Whitelist and blacklist addresses are now file-glob-style patterns, so # "fri...@somewhere.com", "*@isp.com", or "*.domain.net" will all work. # whitelist_from some...@somewhere.com blacklist_from localde...@amazon.com blacklist_from *@lormaneducation.net blacklist_from *ncnet2.org blacklist_from *salesengineintl.com blacklist_from *@shedsplansstart.com blacklist_from *@multibriefs.com blacklist_from pimsleur_approach@* blacklist_from HSIAlert@* # Add your own customised scores for some tests below. The default scores are # read from the installed spamassassin rules files, but you can override them # here. To see the list of tests and their default scores, go to # http://spamassassin.apache.org/tests.html . # # score SYMBOLIC_TEST_NAME n.nn # Speakers of Asian languages, like Chinese, Japanese and Korean, will almost # definitely want to uncomment the following lines. They will switch off some # rules that detect 8-bit characters, which commonly trigger on mails using CJK # character sets, or that assume a western-style charset is in use. # # score HTML_COMMENT_8BITS 0 # score UPPERCASE_25_50 0 # score UPPERCASE_50_75 0 # score UPPERCASE_75_100 0 # score OBSCURED_EMAIL 0 # Speakers of any language that uses non-English, accented characters may wish # to uncomment the following lines. They turn off rules that fire on # misformatted messages generated by common mail apps in contravention of the # email RFCs. # score SUBJ_ILLEGAL_CHARS 0 his .procmailrc file: ## only turn these on for debugging ## ##VERBOSE=on ##MAILDIR=$HOME/mail ##LOGFILE=$MAILDIR/from ## :0: * ? formail -x"From:" -x"From" -x"Sender:" | egrep -is -f $HOME/.whitelist $ORGMAIL ## Silently drop all Asian language mail :0: * ^Subject:.*=\?(iso-2022-jp|ISO-2022-JP|iso-2022-kr|ISO-2022-KR|euc-kr|EUC-KR|gb2312|GB2312|ks_c_5601-1987|KS_C_5601-1987|koi8-r|KOI8-R) /dev/null :0: * ^Content-Type:.*charset="? ?(iso-2022-jp|ISO-2022-JP|iso-2022-kr|ISO-2022-KR|euc-kr|EUC-KR|gb2312|GB2312|ks_c_5601-1987|KS_C_5601-1987|koi8-r|KOI8-R) /dev/null :0: * ^X-Coding-System:.*charset="?(iso-2022-jp|ISO-2022-JP|iso-2022-kr|ISO-2022-KR|euc-kr|EUC-KR|gb2312|GB2312|ks_c_5601-1987|KS_C_5601-1987|koi8-r|KOI8-R) /dev/null ## Chinese spam filter :0: * ^Subject:.*=\?utf-8\?B\?[56] mail/Unreadable :0: * ^Content-Type:.*charset="?windows-1250 /dev/null :0: * ^Subject: Auto-discard notification /dev/null :0: * ^Subject: (DELIVERY FAILURE:|failure notice$) SpamSpoofing :0: * ^Subject: .*[Aa]cai.* Caughtspam :0: * ^Subject: ACH payment report Caughtspam :0: * ^Subject: \[SPAM\].* Caughtspam :0fw: | /usr/bin/spamc :0: * ^X-Spam-Status: Yes Caughtspam :0HB: * ? /usr/bin/bogofilter -p Caughtspam :0: * ^From: Vitale Caughtspam ## # # The condition line ensures that only messages smaller than 250 kB # (250 * 1024 = 256000 bytes) are processed by SpamAssassin. Most spam # isn't bigger than a few k and working with big messages can bring # SpamAssassin to its knees. # # The lock file ensures that only 1 spamassassin invocation happens # at 1 time, to keep the load down. # :0fw: spamassassin.lock * < 256000 | spamassassin # Mails with a score of 15 or higher are almost certainly spam (with 0.05% # false positives according to rules/STATISTICS.txt). Let's put them in a # different mbox. (This one is optional.) :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* almost-certainly-spam # All mail tagged as spam (eg. with a score higher than the set threshold) # is moved to Caughtspam :0: * ^X-Spam-Status: Yes Caughtspam # Work around procmail bug: any output on stderr will cause the "F" in "From" # to be dropped. This will re-add it. :0 * ^^rom[ ] { LOG="*** Dropped F off From_ header! Fixing up. " :0 fhw | sed -e '1s/^/F/' } # :0: # $DEFAULT default /root/.spamassassin/user_prefs file: # SpamAssassin user preferences file. See 'perldoc Mail::SpamAssassin::Conf' # for details of what can be tweaked. ########################################################################### # How many points before a mail is considered spam. # required_score 5 # Whitelist and blacklist addresses are now file-glob-style patterns, so # "fri...@somewhere.com", "*@isp.com", or "*.domain.net" will all work. # whitelist_from some...@somewhere.com # Add your own customised scores for some tests below. The default scores are # read from the installed spamassassin rules files, but you can override them # here. To see the list of tests and their default scores, go to # http://spamassassin.apache.org/tests.html . # # score SYMBOLIC_TEST_NAME n.nn # Speakers of Asian languages, like Chinese, Japanese and Korean, will almost # definitely want to uncomment the following lines. They will switch off some # rules that detect 8-bit characters, which commonly trigger on mails using CJK # character sets, or that assume a western-style charset is in use. # # score HTML_COMMENT_8BITS 0 # score UPPERCASE_25_50 0 # score UPPERCASE_50_75 0 # score UPPERCASE_75_100 0 # score OBSCURED_EMAIL 0 # Speakers of any language that uses non-English, accented characters may wish # to uncomment the following lines. They turn off rules that fire on # misformatted messages generated by common mail apps in contravention of the # email RFCs. # score SUBJ_ILLEGAL_CHARS 0 [root@dsm ~]# cat /etc/mail/spamassassin/local.cf # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. required_hits 5 report_safe 1 rewrite_header Subject [SPAM] use_pyzor 1 use_razor2 1 dcc_path /usr/local/bin/dccproc header RCVD_IN_MSPIKE_BL eval:check_rbl('mspike-lastexternal', 'bl.mailspike.net.') tflags RCVD_IN_MSPIKE_BL net score RCVD_IN_MSPIKE_BL 3.5 header RCVD_IN_MSPIKE_WL eval:check_rbl('mspike-lastexternal', 'wl.mailspike.net.') tflags RCVD_IN_MSPIKE_WL net score RCVD_IN_MSPIKE_WL -2.1 header SMF_BRACKETS_TO To:raw =~ /<<[^<>]+>>/ describe SMF_BRACKETS_TO Double-brackets around To header address score SMF_BRACKETS_TO 1.5 score DNS_FROM_AHBL_RHSBL 0 score __RFC_IGNORANT_ENVFROM 0 score DNS_FROM_RFC_DSN 0 score DNS_FROM_RFC_BOGUSMX 0 score __DNS_FROM_RFC_POST 0 score __DNS_FROM_RFC_ABUSE 0 score __DNS_FROM_RFC_WHOIS 0 score FSL_RU_URL 0 # whitelist_from 150.x.x.x sample header of a missed spam/false negative: http://txt.do/5em14 I had to use an external site as my messages were not getting through to the list.
