Commercial SA packages?

["Stewart, John" <jo...@artesyncp.com>]

We've been running SpamAssassin with amavisd-new for years... still on an
old version, and been meaning to update for far too long.

The fact is, I just don't have the time to give SA proper care and feeding. 

I know there are some commercial anti-spam packages based on SA. I'd like to
know if anyone has opinions on their effectiveness and admin ease. We can
afford to shell out some cash if it's easy to implement and we can more or
less forget about it.

Our environment is a postfix gateway with Exchange internally (right now
that traffic flows through the SA box to be tagged).

Any opinions?

thanks!

johnS

Re: Commercial SA packages?

[Patrick Sneyers <cg...@bulckens.com>]

I suggest you get in touch these hardworking fellows.
http://www.messagepartners.com

Patrick Sneyers
Belgium


http://www.messagepartners.com/http://www.messagepartners.com/http:// 
www.messagepartners.com/
Op 6-mrt-06, om 18:05 heeft Stewart, John het volgende geschreven:

>
> We've been running SpamAssassin with amavisd-new for years... still  
> on an
> old version, and been meaning to update for far too long.
>
> The fact is, I just don't have the time to give SA proper care and  
> feeding.
>
> I know there are some commercial anti-spam packages based on SA.  
> I'd like to
> know if anyone has opinions on their effectiveness and admin ease.  
> We can
> afford to shell out some cash if it's easy to implement and we can  
> more or
> less forget about it.
>
> Our environment is a postfix gateway with Exchange internally  
> (right now
> that traffic flows through the SA box to be tagged).
>
> Any opinions?
>
> thanks!
>
> johnS

Re: Commercial SA packages?

[Keith Dunnett <ke...@dunnett.org>]

Stewart, John wrote:

>We've been running SpamAssassin with amavisd-new for years... still on an
>old version, and been meaning to update for far too long.
>  
>
Spam changes with time. An outdated version of SpamAssassin is no more 
than a waste of CPU cycles.
If you take the time to upgrade, you will find that the latest version 
is more adept at detecting spam and
consequently needs less care and feeding.

>The fact is, I just don't have the time to give SA proper care and feeding. 
>  
>
1. Use rules_du_jour to keep rulesets up to date (choose selectively, 
SARE is quite aggressive)
2. Use autowhitelisting, so SA learns by itself.
3. Ensure that you are using pyzor, razor, DCC and SURBLs. None of these 
require maintenance
and all will increase your spam detection rate massively.
4. Use a bayes database. Set up local accounts on the unix box to which 
users can forward
errors for retraining. Set your threshold high enough that it takes more 
than Bayes to decide that
a message is spam, if users are unwilling to retrain. Not wise via 
amavisd; a global bayes database
gets so diluted as to be virtually useless. If you can run per-user 
spamassassin, this is useful.
5. Use a mysql backend for per-user spamassassin settings; rig up 
something that lets users
whitelist any innocent addresses for themselves. (optional, better to 
obviate the need)
6. Set a high threshold so you are deleting misses rather than 
retraining false positives, if this is
what you would prefer. With all of the above installed, a required_score 
of 10 would catch the
majority of spam but very little innocent mail. Leaving it at 5 will 
generate false positives.
7. If filtering into a Spam folder is done on the Exchange box, do so 
based on the X-Spam-Level
header rather than X-Spam-Flag. That way you set the default threshold 
fairly high, like 10 or 15,
and those users who want more aggressive spam filtering can set it lower 
with a personal filter rule.
To make that easy for them, set the X-Spam-Flag to come on at 6 points, 
but filter by default on
an X-Spam-Level of 10 - 15 points. Users who wish can filter 
X-Spam-Flag: YES as well.

>I know there are some commercial anti-spam packages based on SA. I'd like to
>know if anyone has opinions on their effectiveness and admin ease. We can
>afford to shell out some cash if it's easy to implement and we can more or
>less forget about it.
>  
>
As the previous poster said, these won't much help you. Setting up the 
newest version of spamassassin
and doing so properly, with all the trimmings, will.

>Our environment is a postfix gateway with Exchange internally (right now
>that traffic flows through the SA box to be tagged).
>  
>
Well, you could start mounting directories on the *nix box for 
retraining...or you could set up aliases...
or, you can avoid all that by upping the threshold so you only hit spam 
that you're pretty sure about,
and at the same time using everything possible to increase the scores of 
detectable spam. Just for
interest's sake, I ran some counts on my spambox, which contains about a 
3-month sample of spam:
:
5 points or above:   1266 messages
6 points or above:   1250 messages (my current threshold, false 
positives are tolerably rare)
8 points or above:   1200 messages
10 points or above: 1172 messages
15 points or above: 1066 messages
20 points oe above: 928 messages
25 points or above: 725 messages

I have *never* had a false positive that scored more than ten points, 
though your mileage may vary.
A threshold of 15 would all but guarantee not to block innocent mail, 
and reduces effectiveness against
known spam by < 20%. That requires no maintenance other than that which 
is done by cron, and leaves
you with a modicum of spam to delete (but probably less than you get 
now). You're still advised to
update spamassassin at least annually, though.

Regards,

Keith