I've been running SA as our main inbound SMTP gateway in front of our GroupWise system for about 18 months now. I process, filter, and quarantine for the whole enterprise and do not offer individual user control. I use postfix, amavisd, SA w/ Bayes, RDJ, Razor, some minimal SMTP-level RBLs, CA anti-virus and sa-learn via IMAP.
Last week I upgraded our system from SA v2.63 to v3.1; I am pleased at how well the process went. However, I immediately began to see a lot of false positives. Primarily, it seems that v3.1 has increased the BAYES_00 from -4 to -2.599, and there are a lot of additional checks. With v2.63 I had our kill_level set at 3.9; I found virtually zero false positives and low enough false negatives to where the user community rarely barked (in fact, it's been so successful that when a VP gets a *single* spam it's like the world has come to an end...this, in an environment where we get 14M total SMTP connections per year!) So, to temporarily resolve this, I bumped our kill_level to 5.9 and am monitoring it; my false positives have pretty much disappeared. Of course, I've seen a *slight* increase in fasle negatives versus 2.63, so I'll be tuning. What I'd like to know from the SA group is where did you eventually end up in terms of kill levels versus v2.63? Is a bump of two points about right? Did you end up removing or adding SMTP-level RBLs and/or RDJs during the transition? Any other changes I should consider? Our amount of spam has increased DRAMATICALLY over the last 2-3 weeks, plus the processing times within the box are going skyward (even on the secondary box still running v2.63), so any advice is sincerely appreciated. Great work guys, Greg Amy Hartford (CT) Hospital ----------------------------------------------- Confidentiality Notice This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential or proprietary information which is legally privileged. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please promptly contact the sender by reply e-mail and destroy all copies of the original message.
