On 08/08/2017 08:02 PM, Ian Zimmerman wrote:
On 2017-08-08 15:20, Scott wrote:
Another new one big score, auto-learn disabled. This one is fairly small.
X-Spam-Status: Yes, score=29.428 tag=-9999 tag2=5 kill=6.4
tests=[DATE_IN_PAST_03_06=1.076, DCC_CHECK=3.2,
DIGEST_MULTIPLE=0.001,
FILL_THIS_FORM=0.001, FROM_MISSPACED=0.001, FROM_MISSP_SPF_FAIL=1,
HEADER_FROM_DIFFERENT_DOMAINS=0.001, HEXHASH_WORD=1,
HTML_EXTRA_CLOSE=0.001, HTML_MESSAGE=0.001,
HTML_MIME_NO_HTML_TAG=0.635, MIME_HTML_ONLY=1.105, MISSING_MID=0.14,
NORMAL_HTTP_TO_IP=0.001, RAZOR2_CF_RANGE_51_100=0.365,
RAZOR2_CF_RANGE_E8_51_100=2.43, RAZOR2_CHECK=2.5,
RCVD_IN_BRBL_LASTEXT=1.644, RDNS_NONE=1.274, SPF_FAIL=4,
SPF_HELO_FAIL=4, STYLE_GIBBERISH=3.093,
T_HTML_TAG_BALANCE_CENTER=0.01, URIBL_ABUSE_SURBL=1.948,
WEIRD_QUOTING=0.001] autolearn=unavailable autolearn_force=no
Can you tell if this one has the 3 point match?
Scott,
when I tried to use the autolearn feature I was as confused as you are.
As far as I remember, the 3 point each from header and body is not the
only requirement; the full truth is that some rules are "privileged" and
can contribute to autolearning while others cannot. I found it opaque
in the extreme and essentially unpredictable, and so I stopped
autolearning and hacked up some scripts that put duplicate of each ham
message into a folder which is then processed by sa-learn from a
cronjob, with sufficient delay that I can review the contents and remove
any false negatives; and similarly with spam, excluding the utterly
horrible category which just goes to /dev/null.
It may not be possible for you to adopt such a process if your volume is
high, but OTOH in that case you probably have users to help you :)
I think this is what RW is telling you, too.
FWIW, this is documented (sort of) by:
perldoc Mail::SpamAssassin::Plugin::AutoLearnThreshold
Same here. I had a little success with autolearn. When I started
splitting out messages into a spam and ham folder and using a cron
script to train explicitly, the BAYES hits became very accurate and
helped with zero-hour spam which is the hardest to block.
I setup an iRedmail server on a local-only subdomain and send/BCC copies
of messages over to it. Then I can use simple Inbox rules to sort or
discard them. Then I cron'd spam and ham training based on the Maildir
"cur" folders. This requires me to do a quick scan of the unread
messages. When I mark them as read, then they get sa-learn'd. Takes a
few minutes a day and drastically improved the mail filtering.
A side effect of this has allowed me to easily spot some new spam
campaigns and messages that are scoring just below the block threshold
so I can add them to local custom rules. Sometimes these are legit
senders with good opt-out so I add them to a whitelist_auth entry.
--
David Jones