On Fri, 2009-09-18 at 13:51 -0500, Jose Luis Marin Perez wrote: > I have the problem that many SPAM emails being filtered to the mail > box users, who might that be? > > These are the statistics from yesterday:
> Although filters 54% of users are reporting much SPAM About half of the mail in-stream is spam? Yeah, generally that sounds like your users will complain. ;) The spam/overall ratio usually is *much* higher. > Intel(R) Pentium(R) D CPU 2.80GHz > 512 MB Ram > 300GB HD Ouch -- that server could go with some RAM, don't you think? No hard numbers, but given your 10k+ messages a day, I guess that's about the bare minimum. Oh, you mentioned yesterday running ClamAV, too. Yes, that is low. Hope you don't hit swap yet. > SpamAssassin 3.2.5 - local.cf > > ok_locales all > skip_rbl_checks 1 You *disabled* DNS BL checks. Enabling them should drastically improve results. You'd likely want a local, caching nameserver. > required_hits 3 Not a safe thing to do. That's severely lower than the default. Do expect FPs. If you find yourself in the need to lower the threshold that drastically, something else is wrong. Also, that option is deprecated (inherited from some ancient conf, I assume) and now listens to the name required_score. > whitelist_from *...@ideasclaro.com.pe > whitelist_from *...@surfcontrol.com > whitelist_from *...@inkanatura.com.pe *Lots* more snipped. If you need that much whitelisting, it indicates there is a problem -- in this case, my guess can be seen above. Your required_score threshold is too low, and thus you need to whitelist more and more legit senders... Even worse, you are using the un-constrained variant. Do NOT do that, unless as a last resort. If you need whitelisting at all, do use at least the *_rcvd variant, if not the auth'ed ones. In particular: DO NOT whitelist_from your own domain! If you do, a *lot* of spam will sail right through. Spammers love to pretend sending from your domain. > header _LOCAL_I_HATE_VIAGRA Subject =~ /v.?[i1].?...@].?g.?[\@a]?.?r....@a]/i > describe _LOCAL_I_HATE_VIAGRA viagra > score _LOCAL_I_HATE_VIAGRA 100.0 Funny. Can't even recall when the last spam like that got through. Do you really need such rules? Maybe your Bayes is severely mis-trained? Or maybe you need that to counter the whitelist_from for pills spam pretending to be sent from your own domain. The score sure hints at that... -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}