OT - Has anyone tried RSPAMD?

2015-12-13 Thread Marc Perkel 

And if you have - is it any good? Or am I wasting my time with it?

Thanks in advance. I know it's off topic.

--
Marc Perkel - Sales/Support
supp...@junkemailfilter.com
http://www.junkemailfilter.com
Junk Email Filter dot com
415-992-3400

Re: Strange behaviour by the AWL module

2015-12-13 Thread Sebastian Arcus 

On 12/12/15 23:43, Benny Pedersen wrote:
On December 12, 2015 8:33:28 PM Sebastian Arcus  
wrote:



I guess I must be using the default settings - as I don't think I've
configured anything in particular for AWL


change default /16 cidr to new default /24 for ipv4, for ipv6 use /64, 
if you like to track on /32 for ipv4 then each ipv4 wil, have no 
shared awl scores


possible also change defaul awl faktory from 0.5 to 0.25 will reduce 
how much benefit from previous score


if changeing settings, delete awl db
Thank you - for the time being I've disabled the AWL module - as I've 
worked out that on my type of setup it doesn't appear to be really needed.

Re: Strange behaviour by the AWL module

2015-12-13 Thread Sebastian Arcus 

On 12/12/15 19:57, John Hardin wrote:

On Sat, 12 Dec 2015, Sebastian Arcus wrote:


On 12/12/15 18:21, John Hardin wrote:

 On Sat, 12 Dec 2015, Sebastian Arcus wrote:

>  One of my servers received a spam message which SA missed, with 
the >  following report:
> >  -0.4 AWLAWL: Adjusted score from AWL 
reputation of >  From: address
> >  After learning the messages as spam into bayes with sa-learn, I 
get the >  following report:
> >  -6.1 AWLAWL: Adjusted score from AWL 
reputation of >  From: address
> > >  Luckily the message is now flagged as spam because I have 
manually >  turned up the score on my BAYES_99 and BAYES_999 awhile 
ago. But what >  intrigues me is that now the AWL module gives it a 
-6.1 score. Why would >  AWL now tilt things heavily towards ham, 
after the message has just been >  learned as spam? It seems to be 
making things worse instead of better. >  Unless I am 
misunderstanding what AWL is supposed to be doing?


 You are. The name is misleading. AWL is more a score averager than a
 whitelist. It's intended to allow for the occasionally spammy-looking
 email from a historically hammy sender (and vice versa).

 It has nothing to do with training, which only affect Bayes.

 Messages from that sender will get negative AWL scores for a while 
until

 their traffic history becomes more on the "spam" side.


OK - that's kind of what I assumed. What I don't understand is why 
the AWL score changes after the message has been learned into the 
Bayes database - and by so much?


It's not that you trained it into Bayes, but that SA had previously 
only seen email from that source address that was scored as ham. I'm 
assuming that's the first message you got from that source address? So 
their entire AWL history is 100% hammy based on the original FN.


You scan the message again, it scores as spammy now for whatever 
reason; SA checks the AWL history for that sender address and sees 
"100% hammy" and generates a partially-ofsetting negative score.


As that sender's AWL history shifts from "100% hammy" towards "99% 
spammy" (assuming you ever get mail from that address again) the 
offsetting score will head towards zero. I don't *think* AWL will 
generate positive scores for spams from a historically spammy sender 
(i.e. I think AWL is purely to offset the raw score for anomalies), so 
you should see AWL scores stop once their history is "mostly spammy".


Thank you for that explanation!