Care and feeding instructions for SpamAssassin?

[FH <fh...@usa.net>]

Hopefully this isn't a FAQ, I looked over the list on the website and
while there is some useful info there I didn't see answers to all my
questions (or maybe I just didn't realize they were answered as this is
all new to me ;))


THE PROBLEM:  Recently the hit %age has dropped significantly (to about
50%, that's just a guess though).  For example I've recevied several
"valentine card" spams over the last couple of days and SA is still not
marking it as spam :(


THE SETUP:
I recently upgraded our mail server to POSTFIX and added in SpamAssassin
(3.0.2).  In case it's important the spam level is set at 4, users are NOT
allowed to set their own preferences, spamd is called through procmail
(and the default spamc script) with the "-d" and "-u [see below]" options and
the OS is Solaris9.

Everything w/ the install went great and it was picking up spam like a
champ (maybe 1 out of 10 wouldn't be flagged properly).  In order to
facilitate people reporting improperly marked spam/ham I set up a couple
of internal aliases they can forward email to and on those files (and the
spam/ham I get which I save in separate mailboxes) I occasionally run:

	sa-learn --[spam|ham] --showdots --mbox <file>

The one thing that has changed since the initial setup is the fact someone
on the postfix list mentioned spamd shouldn't run as `nobody` (that's how
it was originally configured).  I created another user for it to run under
(and it seems to be fine w/ that using the "-u" option mentioned earlier) I
also chowned the "spool" files (journal, seen, etc) to that user.  The config
files and the test files (the #_* files in the "share" dir) are still owned by
root.


THE QUESTIONS:
- Is the recent degrade in performance just a matter of the spammers
changing their tactics and SA having to learn the new spam?  As I said
I've only been doing this about a month so I'm not sure if this is part of
a normal cyclical thing.

- Should the sa-learn process report anything through syslog?  I mean it's
reporting successful results at the prompt but I didn't know if there was
some place else to check to see if there might be warnings/errors "behind the
scenes"?

- Is the sa-learn process the only/best way of doing the training?

- Is the forwarding of email to that address potentially causing a problem
w/ the learning process?  I mean for the email I set aside I know it is
unmodified, but when users forward a spam to the email alias all the
forwarding information is attached, is that potentially causing a problem?
I did find something about forwarding mail and vanity domains in the FAQ
but I'm not sure that is directly applicable to what I'm doing.

- I've found several good guides on initial installation and configuration
but is there a decent "care and feeing" manual around for ongoing maint of
SA?  For example is there a command/process I can run though before and after
using the sa-learn to get a feel for what changes were made? 

- Just out of curiosity why is it not a good idea to run spamd as
`nobody`?

I think that's it.  I appreciate any/all help
Thanks

Re: Care and feeding instructions for SpamAssassin?

[Robert Menschel <Ro...@Menschel.net>]

Hello FH,

Thursday, February 10, 2005, 11:48:37 AM, you wrote:

F> Hopefully this isn't a FAQ, I looked over the list on the website and
F> while there is some useful info there I didn't see answers to all my
F> questions (or maybe I just didn't realize they were answered as this is
F> all new to me ;))

The major problems/questions as I read your email are FAQs, though
possibly not listed yet as FAQ on the wiki.

F> THE QUESTIONS:
F> - Is the recent degrade in performance just a matter of the spammers
F> changing their tactics and SA having to learn the new spam?  As I said
F> I've only been doing this about a month so I'm not sure if this is part of
F> a normal cyclical thing.

Yes, spam changes, and SpamAssassin systems need to adapt.  Bayes does
well at this when correctly trained (see below). Adding custom rules
also helps.

I haven't seen any valentine's spam here -- I suspect the custom rules
are blocking them, and Bayes catches on quickly.  Check out
http://wiki.apache.org/spamassassin/CustomRulesets 

F> - Is the forwarding of email to that address potentially causing a problem
F> w/ the learning process?  I mean for the email I set aside I know it is
F> unmodified, but when users forward a spam to the email alias all the
F> forwarding information is attached, is that potentially causing a problem?
F> I did find something about forwarding mail and vanity domains in the FAQ
F> but I'm not sure that is directly applicable to what I'm doing.

You've hit the nail on the head. If I understand what you're doing,
you're teaching SpamAssassin that emails forwarded from your users to
your "this is spam" mailbox is spam. Unfortunatley, the spam going to
your users is not from your users, and it's not to the "this is spam"
mailbox. The emails you're teaching SA about is not the spam your
users are receiving.

If your users are forwarding their spam as attachments, you need to
extract those attachments and learn the original spam, without
modification. If your users are forwarding their spam inline, then you
need to do something like found in
http://wiki.apache.org/spamassassin/SiteWideBayesFeedback

Bob Menschel

Re: Care and feeding instructions for SpamAssassin?

[Ryan Castellucci <ry...@gmail.com>]

On Thu, 10 Feb 2005 14:48:37 -0500, FH <fh...@usa.net> wrote:
> - Just out of curiosity why is it not a good idea to run spamd as
> `nobody`?

Some distros run many daemons as 'nobody' or have files that are
readable by nobody. It's more that running spamassassin as it's own
user is BETTER then running in at nobody, which in turn is better then
running it as root. The idea is to limit the damage caused if someone
manages to get spamassassin to execute code.