1

I have a bit of an issue with a users inbox in that a lot of spam is getting through for him alone.

We use Amavis/Postfix and SA in our mail setup. Config setup like this:

Config:
$sa_tag_level_deflt  = 2.0;  
$sa_tag2_level_deflt = 6.2;  
$sa_kill_level_deflt = 8.0;  
$sa_dsn_cutoff_level = 10;   
$sa_crediblefrom_dsn_cutoff_level = 18;
#$sa_quarantine_cutoff_level = 25; 
$penpals_bonus_score = 8;    
$penpals_threshold_high = 
$bounce_killer_score = 100;

Heres an example of some spam that is being picked up correctly:

X-Spam-Status: Yes, score=9.172 tagged_above=-2 required=6.2
    tests=[BAYES_50=0.8, DOS_RCVD_IP_TWICE_B=0.001,
    FORGED_OUTLOOK_TAGS=0.052, FROM_12LTRDOM=2, FROM_OFFERS=2.699,
    HTML_MESSAGE=0.001, MIME_HTML_MOSTLY=0.428, MPART_ALT_DIFF=0.79,
    RDNS_NONE=0.793, SPF_HELO_SOFTFAIL=0.732, SPF_SOFTFAIL=0.665,
    TO_NO_BRKTS_MSFT=0.199, TO_NO_BRKTS_NORDNS=0.001, T_REMOTE_IMAGE=0.01,

lots of high scores as you can see pushing it well over the kill level (8). Heres a very typical example of some spam that is not being caught:

X-Spam-Status: No, score=1.484 tagged_above=-2 required=6.2
    tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MPART_ALT_DIFF_COUNT=1.112,
    RCVD_IN_BRBL_LASTEXT=1.449, RDNS_NONE=0.793, SPF_PASS=-0.001,
    T_URIBL_SEM_FRESH=0.01, T_URIBL_SEM_FRESH_10=0.01,
    T_URIBL_SEM_FRESH_15=0.01] autolearn=no

The common theme in most of these is a low BAYES_00 score. Some seem really obvious as well 

Return-Path: <dahlia@www123429.com>
X-Spam-Flag: NO
X-Spam-Score: 2.488
X-Spam-Level: **
X-Spam-Status: No, score=2.488 tagged_above=-2 required=6.2
   tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001,
   MIME_HTML_ONLY=0.723, MORE_SEX=1.413, RCVD_IN_BRBL_LASTEXT=1.449,
   RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
   T_REMOTE_IMAGE=0.01] autolearn=no
From: "L o n g & H a r d" <dahlia@www123429.com>
MIME-Version: 1.0
Subject:     How Men Like You Are Boosting Testosterone
Message-ID: <GdeSiGuPRRZRwqRPfuK8Coieid3d24SeCz12i4o48mi4duRfPPqfqfPRwfuVVZZw@www123429.com>

Im not sure why this is happening for one user but not another? It seems like the only option here to train SA with a database of spam/ham. Has anyone any experience of this. If so what solution do you suggest?

GerryI90
  • 45
  • 1
  • 4

1 Answers1

1

Every user gets a different dose of Spam.

Since you are using Spamassassin you might want consider adding some additional rule repositories, which are being updated frequently, to catch more spam (e.g. like being described here: http://khopis.com/wiki/Anti-spam). Your spam trigger level is also a little bit high, most people use there 5.0 normally instead.

Of course training Spamassassin on a recent Ham and Spam corpus might not hurt as well, in fact that's something you should do at the beginning.

You could also add another bayesian bayes spam filter, like Bogofilter, DSPAM or CRM114 and make it work together with Spamassassin.

But don't let your users train the filter, most users train the filter the wrong way.

Getting 95% of the Spam filtered is easy, getting it to 99.5% and above is really hard. Never ever forget that.

Since you've got Postfix installed, using postfwd and greylisting might be another idea to reduce the forefront spam further or using postscreen instead.

Of course if you've feeling adventurous, you could also take a look at DKIM, SPF and DMARC headers of mails, if they are there. But this normally only gets rid of forged mails and if a mail passes those tests it doesn't necessarily need to be ham.

Marc Stürmer
  • 1,904
  • 13
  • 15
  • Thanks Marc, some excellent suggestions to get me started. Im going to decrease the filter incrementally which should help reduce some of it then train SA with a corpus ive been collecting. – GerryI90 Aug 07 '14 at 11:34