On Mon, Sep 21, 2009 at 11:34 AM, Martin Gregorie <mar...@gregorie.org> wrote: > On Mon, 2009-09-21 at 09:58 -0500, Jose Luis Marin Perez wrote: > >> I will implement improvements in the configuration suggested and >> observe the results, however, that more could be suggested to improve >> my spam service? >> > I think you need to find out more about where your system resources are > going. > > For starters, take a look at maillog (/var/log/maillog on my system) to > check whether any SA child processes are timing out. If they are, you > need to find out why processing those messages took so long and, if > possible, speed that up, e.g. if RBL checks or domain name lookups are > slow, consider running a local caching DNS. > > If that doesn't turn up anything obvious, use performance monitoring > tools (sar, iostat, mpstat, etc) to see what is consuming the system > resources: you have to know where and what the bottleneck(s) are before > you can do anything about them. You can find these tools here: > > http://freshmeat.net/projects/sysstat/ > > if they aren't part of your distro's package repository. > > > Martin > > >
Has there been any evidence that the OP's system is short on resources? If so I missed it. The complaint was that too much spam is making it past the filter, with a detection rate of only 54%. This is not a very good percentage for a typical mail flow (if it is actually accurate, i.e. not missing the mails rejected by RBLs or RFC/syntax checks). There were several issues with the configuration that kind people on the list have pointed out. Assuming these suggested changes have been implemented, what is the detection rate now? >From the posted local.cf, it is evident that the SA configuration is not working very well. There are many manually entered whitelist rules, and also many manually added rules that score 100. This is a telltale sign of a very bad setup that is attempting to bandaid instead of fixing the core issue. And as pointed out before, both the whitelist and the subject match -> 100 are very bad ideas. Whitelisting the sender is so easily taken advantage of by spammers, and those +100pts matches are sure to generate FPs. Using rules this way demonstrates lack of understanding in the way that SA is supposed to work. SA rules rarely attempt to kill a message in one shot (100 pts), instead they add or subtract a small amount from the score based on likelyhood that a match means spam or ham. Fine tuning, not smashing with a hammer. So, I think it is pretty safe to assume that the problem lies within the SA configuration. Maybe there are old rulesets that need to be updated. Maybe not a good selection of rulesets in the first place. Perhaps this is an "out of the box" configuration that has never been properly set up. There are many good guides to setting up SA and supporting services available online. If the OP were to follow one of them to the letter, I think the detection rate would be much improved. Also some time spent learning more about SA in general would allow the OP to fine tune his config so that the current manual effort put into creating hammer smashing rules is unneeded. Good luck -Aaron