spam scores low (Sendmail + smtp-vilter + SA )

[Mike Sassaman <ms...@strategictele.com>]

Hello,

I'm new to this list and to SpamAssassin, and I'm have some questions that
will hopefully be easy for you all, but have been giving me problems.

Background: I've been running a Sendmail relay on OpenBSD for the last
couple years for a smallish company.  The only thing this machine does is
forward to an Exchange server - there are no mailboxes on it (besides root).
I'm not a Sendmail expert but it's been doing the job.

So recently I've installed SMTP-Vilter and SpamAssassin 3.0.4 from OpenBSD's
ports.  Now, according to the SA wiki and most of the things I've read, my
grandmother should be able to install SA and stop most spam out of the box.
However, this has not been my experience.  It appears to be 'working', in
the sense that headers are added to messages, for example:

X-SMTP-Vilter-Version: 1.1.9
X-SMTP-Vilter-Spam-Backend: spamd
X-Spam-Score: 7.3
X-Spam-Level: *******
X-Spam-Threshold: 5.0
X-Spam-Probability: 1.5
X-Spam-Status: spam

The message with the above headers had its subject successfully rewritten as
one would expect.

However, the vast majority of spam we receive gets a very low score, often
negative, and is not marked.  Simply lowering the threshold will not help me
because the spam scores often lower than legit mail.

So obviously I'm doing something horribly and stupidly wrong, but what?  

More specifically - for troubleshooting, how can I add headers to each
message showing what SA rules were hit?  How can I view the contents of the
auto-whitelist?  Is it bayes that is broken?  Can anyone suggest some
actions I can take to troubleshoot?

The default local.cf was very minimal, during troubleshooting I added some
things trying to get improvements.  This is my current
/etc/mail/spamassassin/local.cf:  

required_score 5
rewrite_header Subject *****SPAM*****
use_razor2 1
razor_config /etc/mail/spamassassin/.razor/razor-agent.conf
razor_timeout 600
# report_safe 1
# trusted_networks 212.17.35.
# lock_method flock
use_bayes 1 
use_bayes_rules 1 
bayes_path /home/_vilter/.spamassassin/bayes 
bayes_auto_learn 1
bayes_auto_learn_threshold_spam 6
skip_rbl_checks 0
rbl_timeout 600
use_auto_whitelist 0
score ALL_TRUSTED 0 0 0 0

I'm fairly certain this file is being read because if I change the
required_score you see the change in the mail headers.

If I've missed some obvious piece of documentation that answers these
questions, feel free to point me to it.  I've searched the wiki and the man
pages and I'm still cloudy on what could be happening here.  Any ideas
welcome.

Thanks in advance,
Mike

Re: spam scores low (Sendmail + smtp-vilter + SA )

[Matt Kettler <mk...@evi-inc.com>]

Mike Sassaman wrote:
> Hello,
> 
> I'm new to this list and to SpamAssassin, and I'm have some questions that
> will hopefully be easy for you all, but have been giving me problems.
> 
> Background: I've been running a Sendmail relay on OpenBSD for the last
> couple years for a smallish company.  The only thing this machine does is
> forward to an Exchange server - there are no mailboxes on it (besides root).
> I'm not a Sendmail expert but it's been doing the job.
> 
> So recently I've installed SMTP-Vilter and SpamAssassin 3.0.4 from OpenBSD's
> ports.  Now, according to the SA wiki and most of the things I've read, my
> grandmother should be able to install SA and stop most spam out of the box.
> However, this has not been my experience.  It appears to be 'working', in
> the sense that headers are added to messages, for example:
> 
> X-SMTP-Vilter-Version: 1.1.9
> X-SMTP-Vilter-Spam-Backend: spamd
> X-Spam-Score: 7.3
> X-Spam-Level: *******
> X-Spam-Threshold: 5.0
> X-Spam-Probability: 1.5
> X-Spam-Status: spam
> 
> The message with the above headers had its subject successfully rewritten as
> one would expect.
> 
> However, the vast majority of spam we receive gets a very low score, often
> negative, and is not marked.  Simply lowering the threshold will not help me
> because the spam scores often lower than legit mail.
> 
> So obviously I'm doing something horribly and stupidly wrong, but what?  
> 
> More specifically - for troubleshooting, how can I add headers to each
> message showing what SA rules were hit?  How can I view the contents of the
> auto-whitelist?  Is it bayes that is broken?  Can anyone suggest some
> actions I can take to troubleshoot?


Post a sample list of rules that hit one of these negative scoring spams.
Without a list of hits there's no really way to say what's going wrong.


> /etc/mail/spamassassin/local.cf:  
> 
> score ALL_TRUSTED 0 0 0 0


Please don't disable ALL_TRUSTED.. this is a very bad idea, and merely covers up
a larger problem (broken trusted_networks settings).

Re: spam scores low (Sendmail + smtp-vilter + SA )

[Matt Kettler <mk...@evi-inc.com>]

jdow wrote:
> From: "Mike Sassaman" <ms...@strategictele.com>
> 
>> The default local.cf was very minimal, during troubleshooting I added
>> some
>> things trying to get improvements.  This is my current
>> /etc/mail/spamassassin/local.cf: 
>> required_score 5
>> rewrite_header Subject *****SPAM*****
>> use_razor2 1
>> razor_config /etc/mail/spamassassin/.razor/razor-agent.conf
>> razor_timeout 600
>> # report_safe 1
>> # trusted_networks 212.17.35.
>> # lock_method flock
>> use_bayes 1 use_bayes_rules 1 bayes_path
>> /home/_vilter/.spamassassin/bayes bayes_auto_learn 1
>> bayes_auto_learn_threshold_spam 6
>> skip_rbl_checks 0
>> rbl_timeout 600
>> use_auto_whitelist 0
>> score ALL_TRUSTED 0 0 0 0
> 
> 
> That bottom line is a severe problem, Mike. It will disable a lot of
> very helpful tools and rules within SA. Your bayes_*_autolearn
> thresholds need to be widened out. RBL checks are effectively disabled
> by your ALL_TRUSTED score.

That's not really true J.. zeroing out ALL_TRUSTED doesn't really affect the
RBLs at all.

However, zeroing out ALL_TRUSTED is covering up the fact that his
trusted/internal networks are all screwed up with over-trust.

Having a screwed up internal networks will make the RBLs fail to match when they
should. SA doesn't check "internal" hosts against the RBLs.

The mail which hits ALL_TRUSTED will have a matching internal_networks setting
by default, which means no hosts will be checked against the RBLs for these
messages.

So, by zeroing out ALL_TRUSTED, he's not really disabling his RBLs, but  Mike is
covering up the symptoms that are pointing out his RBLs are being disabled.

Re: spam scores low (Sendmail + smtp-vilter + SA )

[jdow <jd...@earthlink.net>]

From: "Mike Sassaman" <ms...@strategictele.com>

> The default local.cf was very minimal, during troubleshooting I added some
> things trying to get improvements.  This is my current
> /etc/mail/spamassassin/local.cf:  
> 
> required_score 5
> rewrite_header Subject *****SPAM*****
> use_razor2 1
> razor_config /etc/mail/spamassassin/.razor/razor-agent.conf
> razor_timeout 600
> # report_safe 1
> # trusted_networks 212.17.35.
> # lock_method flock
> use_bayes 1 
> use_bayes_rules 1 
> bayes_path /home/_vilter/.spamassassin/bayes 
> bayes_auto_learn 1
> bayes_auto_learn_threshold_spam 6
> skip_rbl_checks 0
> rbl_timeout 600
> use_auto_whitelist 0
> score ALL_TRUSTED 0 0 0 0

That bottom line is a severe problem, Mike. It will disable a lot of
very helpful tools and rules within SA. Your bayes_*_autolearn
thresholds need to be widened out. RBL checks are effectively disabled
by your ALL_TRUSTED score. And at least you sensibly have auto whitelist
turned off. But your Bayes database is probably effectively poisoned
at this point and needs to be erased and started fresh.

<rant>
And I think the SA gurus should put in an explicit test that prohibits
setting the score to zero. It should be setup properly so that ALL_TRUSTED
does not hit every time rather than papered over with a zero score.
</rant>

{^_^}