On Mon, 12 Sep 2016, thomas cameron wrote:
Howdy, all -
I rolled a new mail server out for my small business, and I've got a
pretty vanilla SA setup. It's just not doing a very good job of catching
spam. I'm getting a TON of "Amazon gift card" and "female hair loss" and
"work from home" spam in my inbox. I feel like if I see one more e-mail
about Blake Shelton, I'm gonna scream.
Is there a good tuning/config page anywhere? Last time I messed with SA,
I used www.spamtips.org. It's pretty old, though, so I imagine there are
better ways. I also used to use rules du jour, but I read that that's
old and not maintained any more.
What do you guys recommend for tuning? It's been so long since I really
dove deep into SA, you can just assume I'm starting from scratch.
Make sure you have a local recursing (**NOT** forwarding) DNS server that
your MTA and SA are configured to use. Reason: if you're forwarding your
MTA DNS requests to your ISP's DNS server, the aggregated traffic of you
plus all the other ISP clients can exceed the various DNSBL and URIBL
free-usage limits, rendering those tools useless. A clear indicator this
is happening: URIBL_BLOCKED hits.
Train up your Bayes using hand-vetted spam *and* ham, at least 200 of
each. Using autolearn initially can be problematic, so disable that until
SA is doing a fairly good job using hand-trained Bayes. Then you can let
autolearn keep it up-to-date if you like, and continue to capture and
manually train any persistent misses or near-misses. Generally the more
you feed Bayes the better it performs, but it must be accurately
classified. If you feeed garbage to Bayes, you'll get garbage results.
Keep hand-classified Bayes corpora around in case you ever need to wipe
and retrain from scratch.
Ensure you're training Bayes as the user that SA is running under.
Training the wrong Bayes database is a common cause of problems.
Consider doing some MTA-level DNSBL checks. The Zen DNSBL is
well-regarded. If you're using Postfix then there are some emails from
Reindl Harald on this list regarding weighted DNSBL scoring that you may
find useful. You'll have to search the archives to find those.
There are some other MTA-level checks you can perform, like greet pause
and HELO validation (e.g. reject if the HELO has no dots).
Consider greylisting.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows and its users got mentioned at home today, after my wife the
psych major brought up Seligman's theory of "learned helplessness."
-- Dan Birchall in a.s.r
-----------------------------------------------------------------------
5 days until the 229th anniversary of the signing of the U.S. Constitution