?
Solved

Fine-tune SpamAssassin

Posted on 2004-07-30
7
Medium Priority
?
824 Views
Last Modified: 2011-09-20
HI
I would like to know some tips on fine-tuing SpamAsassin / MailScanner to block more spam.

I've used pretty much "out the box" settings up to now, and it only marks all the messages as spam. I activated SBL+XBL checks yet, I still receive e-mail from such sources, although I have the setting to mark such messages as "High Scoring" and have "delete" as the action for high scoring spam...

Also, I noticed in the config that you can quarantine spam and virus infected messages, however, how do users access these for revision?

0
Comment
Question by:psimation
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
7 Comments
 
LVL 17

Accepted Solution

by:
owensleftfoot earned 252 total points
ID: 11681724
The best way to teach spamassassin is to use sa-learn. Any time spam slips through, get your users to forward it to a local user (on the linux box) such as the user spam. (You will obviously have to create this account). Then use sa-learn to scan the mbox of that user (spam).
http://spamassassin.apache.org/doc/sa-learn.html will show you how.

For the second point, you can setup both mailscanner & spamassassin to send an email to a user who has had a mail blocked because of spam or virus flags with details about how to retrieve the original message.)
Rtfm paul :) ( I think I remember your name is paul? If not, I apologise. You havent been around in a while.)
0
 
LVL 20

Expert Comment

by:Gns
ID: 11692913
I' don't use bayes, and frankly am not sure of it's virtues. It makes it less easy to answer questions like "why is this spam"... :-).
But just to show that I'm not consequent in my thinking... I _will_ swear by the effectiveness of Razor (http://razor.sf.net), Pyzor (pyzor.sf.net) and DCC (http://www.rhyolite.com/anti-spam/dcc/) ... And some "intelligent" whitelisting;).
I also use the excellent MailWatch (http://mailwatch.sourceforge.net/) to visualize the scanning process... Makes it real easy to find problems with the current config ... and fix them.

My guess about the RBLs would be that you don't get enough hits (or even test against enough RBLs to be able) to reach the "High scoring spam" level. ISTR you need 3 (or was it 5) "hits" to mark a message as highscoring. Thus you'd just invoke the usual spam action, which likely is "deliver".

-- Glenn
0
 
LVL 17

Author Comment

by:psimation
ID: 12419872
Hi Guys
I'm still battling with this darn MailScanner.

I changed the required SBL/XBL list hits to 2 , then made it so my high scoring spam score is 6, and made it so that if the message hits at least 2 SBL /XBL lists, it would be marked as high scoring, ie, 6. Then I have the action for messages of more than 6 set to delete.

However, I still get messages that clearly stats in the headers that it has hit at least 2 SBL/XBL lists, AND it gave the message a spam score in total of 7, even though the action for >6 = delete...

Am I using sane values for high scoring spam?

0
 
LVL 20

Expert Comment

by:Gns
ID: 12422845
Eh, do these messages really get _delivered_? Or are you using MailWatch (or similar) to look at 'em? If the latter, the HS spamaction (noted a bit down in the details page) should be delete... making the database log entry all that remains:-).

-- Glenn
0
 
LVL 20

Assisted Solution

by:Gns
Gns earned 248 total points
ID: 12422973
.... And "sane" values for HS spam is very dependant on how well it (spamassassin mostly) behaves, and the "Real Mails" looks like... If I we're to go as low as 6 for HS... I'd be blocking some real mails (which is a nono for my organization (.gov-ish, with a need to be "available to the public". Sigh. This make me only able to store HS spam, so that a person actually looks through the quarantined stuff before deletion. Guess who get's to do the looking:-).
This works for me since we only get about 1500-2000 mails a day (with HS spam at about 1-2%).

My advice would be to play it cool for a while (letting more through than you like) and try to establish working black/whitelists...

I've also reconsidered my position on bayes... I'm using (and loving) it... Only tricky part with it is that one needs be able to get the pure unchanged message to train it properly (when missdetections occur), but that can be handled by some form of IMAP folder where the users can dump messages (one for ham, one for spam).

-- Glenn
0

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month12 days, 4 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question