On Fri, 2009-09-18 at 13:51 -0500, Jose Luis Marin Perez wrote:
> I have the problem that many SPAM emails being filtered to the mail
> box users, who might that be?
>
> These are the statistics from yesterday:
> Although filters 54% of users are reporting much SPAM
About half of the mail in-stream is spam? Yeah, generally that sounds
like your users will complain. ;) The spam/overall ratio usually is
*much* higher.
> Intel(R) Pentium(R) D CPU 2.80GHz
> 512 MB Ram
> 300GB HD
Ouch -- that server could go with some RAM, don't you think? No hard
numbers, but given your 10k+ messages a day, I guess that's about the
bare minimum.
Oh, you mentioned yesterday running ClamAV, too. Yes, that is low. Hope
you don't hit swap yet.
> SpamAssassin 3.2.5 - local.cf
>
> ok_locales all
> skip_rbl_checks 1
You *disabled* DNS BL checks. Enabling them should drastically improve
results. You'd likely want a local, caching nameserver.
> required_hits 3
Not a safe thing to do. That's severely lower than the default. Do
expect FPs. If you find yourself in the need to lower the threshold that
drastically, something else is wrong.
Also, that option is deprecated (inherited from some ancient conf, I
assume) and now listens to the name required_score.
> whitelist_from *...@ideasclaro.com.pe
> whitelist_from *...@surfcontrol.com
> whitelist_from *...@inkanatura.com.pe
*Lots* more snipped. If you need that much whitelisting, it indicates
there is a problem -- in this case, my guess can be seen above. Your
required_score threshold is too low, and thus you need to whitelist more
and more legit senders...
Even worse, you are using the un-constrained variant. Do NOT do that,
unless as a last resort. If you need whitelisting at all, do use at
least the *_rcvd variant, if not the auth'ed ones.
In particular: DO NOT whitelist_from your own domain! If you do, a *lot*
of spam will sail right through. Spammers love to pretend sending from
your domain.
> header _LOCAL_I_HATE_VIAGRA Subject =~ /v.?[i1].?...@].?g.?[\@a]?.?r....@a]/i
> describe _LOCAL_I_HATE_VIAGRA viagra
> score _LOCAL_I_HATE_VIAGRA 100.0
Funny. Can't even recall when the last spam like that got through. Do
you really need such rules?
Maybe your Bayes is severely mis-trained? Or maybe you need that to
counter the whitelist_from for pills spam pretending to be sent from
your own domain. The score sure hints at that...
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
