Re: SpamAssassin scoring issues

[RW]

On Thu, 20 Apr 2017 12:08:54 +0200
Ralf Hildebrandt wrote:

> * David Jones :
> 
> > Are you hitting the URIBL_BLOCKED rule?  If so, please follow the
> > link in that reddit article to get rid of that rule hit.  This is
> > very important.  
> 
> Yes, but that's not his problem -- since the URIBL query fails in both
> delivery AND his test.
> 
> The actual differences are that these are NOT firing on delivery:
> 
> 1.9 URIBL_ABUSE_SURBL (OK, his IP might be blocked due to excessive
> queries) 1.2 RCVD_IN_BL_SPAMCOP_NET (that should work!)

I'm not really sure what you are saying here, but abuse is the name of
that particular SURBL list

1.9 URIBL_ABUSE_SURBL  Contains an URL listed in the ABUSE SURBL blocklist


URIBL_BLOCKED is in both tests because the IP address of the shared DNS
server is blocked. 

URIBL_ABUSE_SURBL and RCVD_IN_BL_SPAMCOP_NET are most likely missing in
the first because the IP and URI domain were listed after delivery.
This is very common when you retest after a short delay. 

Re: SpamAssassin scoring issues

[Ralf Hildebrandt]

* David Jones :

> Are you hitting the URIBL_BLOCKED rule?  If so, please follow the
> link in that reddit article to get rid of that rule hit.  This is very 
> important.

Yes, but that's not his problem -- since the URIBL query fails in both
delivery AND his test.

The actual differences are that these are NOT firing on delivery:

1.9 URIBL_ABUSE_SURBL (OK, his IP might be blocked due to excessive queries)
1.2 RCVD_IN_BL_SPAMCOP_NET (that should work!)

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Re: SpamAssassin scoring issues

[Ralf Hildebrandt]

* W B :
> Hey all! I'm having issues with SpamAssassin; it's assigning emails scores
> that are way lower than it should. In addition, the scores it's assigning as
> emails come in are different from the results of running SpamAssassin -t on
> that same email after the fact.

So, how is SpamAssassin invoked when mail comes in (which user is
being used to run SA?) and how has it been run when testing?

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Re: SpamAssassin scoring issues

[W B]

I actually had no idea SpamAssassin could do bayesian training - I'm an 
idiot. Lol. Thank you for pointing that out to me!



On 4/19/2017 2:56 PM, RW wrote:

On Wed, 19 Apr 2017 14:36:24 -0400
W B wrote:


Hey all! I'm having issues with SpamAssassin; it's assigning emails
scores that are way lower than it should. In addition, the scores
it's assigning as emails come in are different from the results of
running SpamAssassin -t on that same email after the fact.

I'd like to avoid posting too much text in a single email, so here's
a link to a Reddit post I made outlining the issues I'm having:
https://www.reddit.com/r/webdev/comments/660n2w/spamassassin_scores_are_oddly_low_different_from/

If anyone has any clue what the issue is or is able to help, please
let me know!


This is normal. In the interval the IP address was reported to spamcop
and a URI in the email was reported to SURBL.



I'm getting flooded with spam emails to the point that
it's hard to find my actual legitimate emails in my inbox...

There are two obvious problems:

1. URIBL_BLOCKED, you need to setup your own nameserver that does its
own DNS lookups. At the moment you are probably using a shared DNS
cache which leads to a lot of look-ups coming from the same IP
address.

2. You aren't using Bayes - this is the main problem.

Re: SpamAssassin scoring issues

[RW]

On Wed, 19 Apr 2017 14:54:03 -0400
W B wrote:

> You guys are all correct. Somehow I've been overlooking that message
> - I must have misread something. Either way, thank you so much for
> the help; I've set up unbound, so hopefully that should solve the
> issue.

It probably wont. It's a significant problem, but it's overstated.

Turn on Bayes, and preferably train it manually, with autolearning
turned off.  

You might also consider using the pyzor and dcc plugins.

Re: SpamAssassin scoring issues

[RW]

On Wed, 19 Apr 2017 14:36:24 -0400
W B wrote:

> Hey all! I'm having issues with SpamAssassin; it's assigning emails 
> scores that are way lower than it should. In addition, the scores
> it's assigning as emails come in are different from the results of
> running SpamAssassin -t on that same email after the fact.
> 
> I'd like to avoid posting too much text in a single email, so here's
> a link to a Reddit post I made outlining the issues I'm having: 
> https://www.reddit.com/r/webdev/comments/660n2w/spamassassin_scores_are_oddly_low_different_from/
> 
> If anyone has any clue what the issue is or is able to help, please
> let me know!


This is normal. In the interval the IP address was reported to spamcop
and a URI in the email was reported to SURBL.


> I'm getting flooded with spam emails to the point that
> it's hard to find my actual legitimate emails in my inbox...

There are two obvious problems:

1. URIBL_BLOCKED, you need to setup your own nameserver that does its
own DNS lookups. At the moment you are probably using a shared DNS
cache which leads to a lot of look-ups coming from the same IP
address.   

2. You aren't using Bayes - this is the main problem.

Re: SpamAssassin scoring issues

[W B]

You guys are all correct. Somehow I've been overlooking that message - I 
must have misread something. Either way, thank you so much for the help; 
I've set up unbound, so hopefully that should solve the issue.


Sorry, and thank you!


On 4/19/2017 2:48 PM, David Jones wrote:

From: W B <wil...@wilsonbiggs.com>
Sent: Wednesday, April 19, 2017 1:36 PM
To: users@spamassassin.apache.org
Subject: SpamAssassin scoring issues
 

Hey all! I'm having issues with SpamAssassin; it's assigning emails
scores that are way lower than it should. In addition, the scores it's
assigning as emails come in are different from the results of running
SpamAssassin -t on that same email after the fact.
I'd like to avoid posting too much text in a single email, so here's a
link to a Reddit post I made outlining the issues I'm having:
https://www.reddit.com/r/webdev/comments/660n2w/spamassassin_scores_are_oddly_low_different_from/
If anyone has any clue what the issue is or is able to help, please let
me know! I'm getting flooded with spam emails to the point that it's
hard to find my actual legitimate emails in my inbox... thank you!!!

Are you hitting the URIBL_BLOCKED rule?  If so, please follow the
link in that reddit article to get rid of that rule hit.  This is very 
important.

Minor scoring differences are to be expected based on the passing
of time and RBL listing changes but if you are hitting the URIBL_
BLOCKED rule then basically RBLs are not working properly.

What MTA are you using?  It's best to fine tune the MTA to do RBL
checks that will block the majority of the spam/junk before it reaches
SA.  Make sure you are using zen.spamhaus.org and b.barracudacentral.org
RBLs at a minimum.  If you are using Postfix, enable postscreen and
refer to the SA mailing list archives to posts that reference senderscore.org
which is another valuable RBL best used in a weighting fashion with
postscreen.

Dave

Re: SpamAssassin scoring issues

[David Jones]

>From: W B <wil...@wilsonbiggs.com>
>Sent: Wednesday, April 19, 2017 1:36 PM
>To: users@spamassassin.apache.org
>Subject: SpamAssassin scoring issues
    
>Hey all! I'm having issues with SpamAssassin; it's assigning emails
>scores that are way lower than it should. In addition, the scores it's 
>assigning as emails come in are different from the results of running 
>SpamAssassin -t on that same email after the fact.

>I'd like to avoid posting too much text in a single email, so here's a 
>link to a Reddit post I made outlining the issues I'm having: 
>https://www.reddit.com/r/webdev/comments/660n2w/spamassassin_scores_are_oddly_low_different_from/

>If anyone has any clue what the issue is or is able to help, please let 
>me know! I'm getting flooded with spam emails to the point that it's 
>hard to find my actual legitimate emails in my inbox... thank you!!!

Are you hitting the URIBL_BLOCKED rule?  If so, please follow the
link in that reddit article to get rid of that rule hit.  This is very 
important.

Minor scoring differences are to be expected based on the passing
of time and RBL listing changes but if you are hitting the URIBL_
BLOCKED rule then basically RBLs are not working properly.

What MTA are you using?  It's best to fine tune the MTA to do RBL
checks that will block the majority of the spam/junk before it reaches
SA.  Make sure you are using zen.spamhaus.org and b.barracudacentral.org
RBLs at a minimum.  If you are using Postfix, enable postscreen and
refer to the SA mailing list archives to posts that reference senderscore.org
which is another valuable RBL best used in a weighting fashion with
postscreen.

Dave

Re: SpamAssassin scoring issues

[Benny Pedersen]

W B skrev den 2017-04-19 20:36:

https://www.reddit.com/r/webdev/comments/660n2w/spamassassin_scores_are_oddly_low_different_from/


http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block

have you readed this and solved it ?

SpamAssassin scoring issues

[W B]

Hey all! I'm having issues with SpamAssassin; it's assigning emails 
scores that are way lower than it should. In addition, the scores it's 
assigning as emails come in are different from the results of running 
SpamAssassin -t on that same email after the fact.


I'd like to avoid posting too much text in a single email, so here's a 
link to a Reddit post I made outlining the issues I'm having: 
https://www.reddit.com/r/webdev/comments/660n2w/spamassassin_scores_are_oddly_low_different_from/


If anyone has any clue what the issue is or is able to help, please let 
me know! I'm getting flooded with spam emails to the point that it's 
hard to find my actual legitimate emails in my inbox... thank you!!!


-
Wilson Biggs
wil...@wilsonbiggs.com