Op di 27 aug. 2019 om 15:09 schreef Matus UHLAR - fantomas < uh...@fantomas.sk>:
> On 27.08.19 14:50, Lambert Rots wrote: > >Time difference between amavisd-new and spamassassin checks are +30 > minutes. > > > >I don't reject spam, spam is set to be discarded: > > >$final_spam_destiny = D_DISCARD; #!!! D_DISCARD / D_REJECT > > so, you don't know of spam that gets discarded, and it's quite possible > that > much of spam is dropped before you can scan it again using spamassassin, > correct? > > Well, I know which spam mail gets through ;-) Looking at the logs I don't see a lot of messages about discards on amavisd-new but postfix is doing a good job on the blacklist checks (+90/day mails blocked) > that way, it's quite possible that spam that sneaks in, is "early recipient > based", so it would be rejected half hour later. > > >~amavis/.spamassissin contains: > >-rw------- 1 amavis amavis 40960 Aug 27 07:45 bayes_seen > >-rw------- 1 amavis amavis 1310720 Aug 27 07:45 bayes_toks > >-rw-r--r-- 1 amavis amavis 1869 Aug 16 13:23 user_prefs > > btw, how do you check spam by spamassassin? > for comparing to amavis scores I use > > (cd /tmp; su -s /bin/sh -c 'spamassassin -x' amavis) < file | less > > I configured postfix to save all email messages (dont_remove = 1) so I can work with the 'original' email. I copy a message from the saved directory to /tmp using: postcat -hb /var/spool/postfix/saved/<ID> > /tmp/<ID> Then I run spamassassin as user amavis: su amavis -c 'spamassassin -D -t < /tmp/<ID>' > >The user_prefs is just a sample file with only commented/blank lines > > ...so the results aren't flawed due to amavis' user_prefs. > > >$ ls -lh /etc/amavisd/ > >total 88K > >-rw-r--r-- 1 root root 37K Aug 22 12:22 amavisd.conf > >-rw-r--r-- 1 root root 37K Jul 19 12:32 amavisd.conf.rpmsave > >-rw-r--r-- 1 root root 19 Jul 5 2016 sender_scores_sitewide > >-rw-r--r-- 1 root root 95 Jul 21 2018 whitelist_sender > > > >sender_scores_sitewide contains one specific domain with score -5.0 to > >prevent mail from that domain to be accidentally identified as spam. > >whitelist_sender contains my logwatch sender to prevent my logwatch > reports > >to be seen as spam. > > I put those into SA's local.cf, this way they get the same score when > checked by SA or by amavis. > > Good idea, thanks > > >> >Op zo 18 aug. 2019 om 11:59 schreef Matus UHLAR - fantomas < > >> >uh...@fantomas.sk>: > >> >> this is also a different issue. Many sites and webs get into > blacklist > >> >> after the spam starte spreading, so first (early) recipients don't > see > >> >> the mail in blacklist, while late recipients or later checks shows > >> >> blacklists. > > >> On 26.08.19 11:22, Lambert Rots wrote: > >> >Comparing debug logs between Amavisd-new (debug-sa) and spamassassin > >> >directly shows that blacklist checks score 0 with NXDOMAIN replies when > >> >the mail arrives the first time where spamassassin scores +3 with > >> >several hits on blacklist checks. > > >Op ma 26 aug. 2019 om 15:50 schreef Matus UHLAR - fantomas < > >uh...@fantomas.sk>: > >> this shows early recipient issue. What's the time difference > >> between amavis and spamassassin checks? > >> Are there any differences in rules hit than blacklits? > > >> >I just cannot imagine that all spam I receive is early recipient based, > >> > >> do you reject any spam? > >> > >> >besides, postfix is already taking care of most blacklist checking. > >> > >> postfix does only check blacklists on direct sending machine. SA does > deep > >> header checks, which is why SA blacklist checks have more hits than > >> postfix. > >> > >> >Most spam mail is coming from the same email domains, share the same > >> >subject and a lot of other stuff on which amavisd-new should be able to > >> >identify it as spam. Bayes scores some mail but not all. > >> > >> train what you can. bayes training is one the best antispam tools > >> available. > >> > >> >Spam senders try a lot to bypass anti spam but in my opinion > amavisd-new > >> >should be able to do better than marking less than 1 percent of spam > mail > >> >as spam. > >> > >> what does ~amavis/.spamassassin contain? > >> what does /etc/amavis/conf.d/ contain? > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Saving Private Ryan... > Private Ryan exists. Overwrite? (Y/N) >