Low detection rate

["Carnegie, Martin" <Ma...@atcoitek.com>]

Hi All,
 
We have been using SA for the past year and a half with detection rates
around 95% or better (based on client feedback).  Over the past couple
days (since Thursday April 21st) we have been getting lots of spam
making it through with detection rates at about 50%. Has anyone else
seen this?
 
We are currently on 3.0.1 with the following rules
40_antidrug.cf
70_sare_adult.cf
70_sare_html0.cf
99_chickenpox.cf
99_mangled.cf
99_sare_fraud_post25x.cf
 
We are not using Bayes, Razor or Pyzor as we have had really good
success without them.
 
Any recommendations (other than the "turn on Bayes")?
 
Thanks

Re: Low detection rate

[DNI Support Department <su...@dynamicnet.net>]

Greetings Martin:

Use surbl.

Thank you.


At 04:18 PM 4/25/2005, you wrote:
>Hi All,
>
>We have been using SA for the past year and a half with detection rates 
>around 95% or better (based on client feedback).  Over the past couple 
>days (since Thursday April 21st) we have been getting lots of spam making 
>it through with detection rates at about 50%. Has anyone else seen this?
>
>We are currently on 3.0.1 with the following rules
>40_antidrug.cf
>70_sare_adult.cf
>70_sare_html0.cf
>99_chickenpox.cf
>99_mangled.cf
>99_sare_fraud_post25x.cf
>
>We are not using Bayes, Razor or Pyzor as we have had really good success 
>without them.
>
>Any recommendations (other than the "turn on Bayes")?
>
>Thanks

Re: Low detection rate

[Matt Kettler <mk...@evi-inc.com>]

Paul Fielding wrote:

>Matt Kettler <mkettler <at> evi-inc.com> writes:
>
>  
>
>>Also, make sure your Net::DNS is sufficiently up-to-date so that the
>>URIBL tests (SURBL, etc) can run. Look to make sure you've got some spam
>>hitting URIBL_SC_SURBL, URIBL_WS_SURBL, etc.
>>    
>>
>
>
>Any suggestions on testing that the ability of URIBL tests to run?  Looking at 
>my own spam hits, it appears none are getting hit by URIBL tests anymore and 
>I'd like to figure out what made them stop, or if they have indeed stopped....
>
>regards,
>
>Paul
>
>
>  
>
Use the test point, this should hit one of the SURBL lists, but I forget
if it shows up as WS or SC:

http://surbl-org-permanent-test-point.com/

Re: Low detection rate

[Paul Fielding <pa...@fielding.ca>]

Matt Kettler <mkettler <at> evi-inc.com> writes:

> Also, make sure your Net::DNS is sufficiently up-to-date so that the
> URIBL tests (SURBL, etc) can run. Look to make sure you've got some spam
> hitting URIBL_SC_SURBL, URIBL_WS_SURBL, etc.


Any suggestions on testing that the ability of URIBL tests to run?  Looking at 
my own spam hits, it appears none are getting hit by URIBL tests anymore and 
I'd like to figure out what made them stop, or if they have indeed stopped....

regards,

Paul

RE: Low detection rate

[Bret Miller <br...@wcg.org>]

 
> To up hit rate I'd recommend adding the SARE random ruleset, and the
> tripwire ruleset.


Incidentally, you'll find custom rulesets defined here: 
http://wiki.apache.org/spamassassin/CustomRulesets

Some of our ruleset writers should edit this page so it's more
current....

Bret

Re: Low detection rate

[Matt Kettler <mk...@evi-inc.com>]

Carnegie, Martin wrote:

> Hi All,
>  
> We have been using SA for the past year and a half with detection
> rates around 95% or better (based on client feedback).  Over the past
> couple days (since Thursday April 21st) we have been getting lots of
> spam making it through with detection rates at about 50%. Has anyone
> else seen this?
>  
> We are currently on 3.0.1 with the following rules
> 40_antidrug.cf
> 70_sare_adult.cf
> 70_sare_html0.cf
> 99_chickenpox.cf
> 99_mangled.cf
> 99_sare_fraud_post25x.cf
>  
> We are not using Bayes, Razor or Pyzor as we have had really good
> success without them.
>  
> Any recommendations (other than the "turn on Bayes")?

My first suggestion would be to remove 40_antidrug.cf. While this won't
improve your hit-rate, it will remove duplication in your configuration.
SA 3.0 and higher ship with antidrug already included in 20_drugs.cf, so
40_antidrug.cf is just a duplication.

To up hit rate I'd recommend adding the SARE random ruleset, and the
tripwire ruleset.

Also, make sure your Net::DNS is sufficiently up-to-date so that the
URIBL tests (SURBL, etc) can run. Look to make sure you've got some spam
hitting URIBL_SC_SURBL, URIBL_WS_SURBL, etc.

Lastly, make sure that no spam messages are hitting the ALL_TRUSTED
rule. If they are, try checking for a broken trust path:

http://wiki.apache.org/spamassassin/TrustPath