You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Juan Mas <ju...@gmail.com> on 2006/10/24 22:34:24 UTC
Change scoring?
Im looking to change scoring in my SA setup. As it stands now, we know
mostly what e-mails and from who we will be receiving to our system that SA
is monitoring. Id like to make our scoring a bit more strict. Right now
Ive got spam being flagged at required score 1, and I still have a good 20%
coming through the system. Can anyone point me to where I can go about
changing the rules scoring?
--
-Juan
Re: Change scoring?
Posted by jdow <jd...@earthlink.net>.
From: "Chris St. Pierre" <st...@NebrWesleyan.edu>
> On Tue, 24 Oct 2006, Juan Mas wrote:
>
>> Im looking to change scoring in my SA setup. As it stands now, we know
>> mostly what e-mails and from who we will be receiving to our system that SA
>> is monitoring. Id like to make our scoring a bit more strict. Right now
>> Ive got spam being flagged at required score 1, and I still have a good 20%
>> coming through the system. Can anyone point me to where I can go about
>> changing the rules scoring?
>
> I don't think we'd get any mail if we set our score to 1. :)
>
> Are you using network tests and the SARE rulesets?
>
> Also, are you using a reasonably well-trained Bayes? If you know what
> kind of mail you'll be getting, it should be easy to construct a
> corpus -- and then crank up the scores for the higher Bayes percentages.
>
> Still, I can't help but wonder if there's some sort of
> misconfiguration. What spam sneaks through our system tends to be
> scored in the 3-4.9 range -- i.e., just below our threshold of 5. I
> see _very_ few reported false negatives with a score below 2 or 3.
He should also look for ALL_TRUSTED in his logs or message markups. If
it's there he has a toasted setup and needs to fix his trust (as in only
trusted not to forge headers) arrangements. He should visit the WIKI to
learn more about this common problem.
{^_^}
Re: Change scoring?
Posted by Juan Mas <ju...@gmail.com>.
Thanks for all the info, Chris. I didnt have dns_available, nor did I have
Razor, Pyzor, DCC. I made those changes, and added a bunch of checkers from
rulesdujour. Since I made the changes, Im now getting scores of 15+
consistently, though I don't know if thats just a coincedence, we'll see in
a week or so.
On 10/25/06, Chris St. Pierre <st...@nebrwesleyan.edu> wrote:
>
> On Tue, 24 Oct 2006, Juan Mas wrote:
>
> > Are all these files not included in the installation? I pretty much out
> of
> > the box'd it. Our mail to this server is so limited that I figured that
> > this would be okay, along with a short whitelist we have. When I first
> > installed SA, it was missing about 5% of spam. Now that number has
> increased
> > to 20-25%
> >
>
> Please keep your replies on-list.
>
> To enable network tests, you need to make sure that you're not running
> spamd with the -L flag. Also, add:
>
> dns_available yes
>
> to your local.cf, and make sure that skip_rbl_checks is *not* present
> in your local.cf.
>
> You may also wish to install and enable Pyzor, Razor, and/or DCC;
> instructions for each of those can be found in the SA wiki.
>
> You can find the SARE rulesets here:
>
> http://www.rulesemporium.com/rules.htm
>
> Instructions for auto-updating them are either of these places:
>
> http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
> http://www.exit0.us/index.php?pagename=RulesDuJour
>
> Chris St. Pierre
> Unix Systems Administrator
> Nebraska Wesleyan University
>
>
>
--
-Juan
Re: Change scoring?
Posted by "Chris St. Pierre" <st...@NebrWesleyan.edu>.
On Tue, 24 Oct 2006, Juan Mas wrote:
> Are all these files not included in the installation? I pretty much out of
> the box'd it. Our mail to this server is so limited that I figured that
> this would be okay, along with a short whitelist we have. When I first
> installed SA, it was missing about 5% of spam. Now that number has increased
> to 20-25%
>
Please keep your replies on-list.
To enable network tests, you need to make sure that you're not running
spamd with the -L flag. Also, add:
dns_available yes
to your local.cf, and make sure that skip_rbl_checks is *not* present
in your local.cf.
You may also wish to install and enable Pyzor, Razor, and/or DCC;
instructions for each of those can be found in the SA wiki.
You can find the SARE rulesets here:
http://www.rulesemporium.com/rules.htm
Instructions for auto-updating them are either of these places:
http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt
http://www.exit0.us/index.php?pagename=RulesDuJour
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
Re: Change scoring?
Posted by "Chris St. Pierre" <st...@NebrWesleyan.edu>.
On Tue, 24 Oct 2006, Juan Mas wrote:
> Im looking to change scoring in my SA setup. As it stands now, we know
> mostly what e-mails and from who we will be receiving to our system that SA
> is monitoring. Id like to make our scoring a bit more strict. Right now
> Ive got spam being flagged at required score 1, and I still have a good 20%
> coming through the system. Can anyone point me to where I can go about
> changing the rules scoring?
I don't think we'd get any mail if we set our score to 1. :)
Are you using network tests and the SARE rulesets?
Also, are you using a reasonably well-trained Bayes? If you know what
kind of mail you'll be getting, it should be easy to construct a
corpus -- and then crank up the scores for the higher Bayes percentages.
Still, I can't help but wonder if there's some sort of
misconfiguration. What spam sneaks through our system tends to be
scored in the 3-4.9 range -- i.e., just below our threshold of 5. I
see _very_ few reported false negatives with a score below 2 or 3.
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
Re: Change scoring?
Posted by Matt Kettler <mk...@verizon.net>.
Juan Mas wrote:
> Im looking to change scoring in my SA setup. As it stands now, we
> know mostly what e-mails and from who we will be receiving to our
> system that SA is monitoring. Id like to make our scoring a bit more
> strict. Right now Ive got spam being flagged at required score 1, and
> I still have a good 20% coming through the system. Can anyone point
> me to where I can go about changing the rules scoring?
Well, first, before you go tinkering around too much, I'd look at why
you have 20% coming though at a required score of 1. That's just not
right. You should have very little spam coming through un-tagged at that
level, and if you're not, it implies something is deeply wrong.
Take a look at those untagged spams. What rules are hitting?
Is ALL_TRUSTED hitting?
http://wiki.apache.org/spamassassin/TrustPath
is USER_IN_WHTELIST hitting? Did you add "whitelist_from *@mydomain.com"
to your config?
delete it, or replace with a whitelist_from_rcvd (takes two
parameters, not one.)
NEVER use whitelist_from again if you can avoid it. Spammers can get
their mail through by simple header forgery if you use whitelist_from.
is BAYES_00 hitting?
Increase your spam training with sa-learn.
Other suggestions can be found in the "Spam getting through?" section of:
http://wiki.apache.org/spamassassin/UsingSpamAssassin