|
List Info
Thread: SpamAssassin Rule Scores
|
|
| SpamAssassin Rule Scores |
|
2007-10-15 18:03:16 |
Hi all,
We are having a small but frustrating issue with Maia. We
have a fairly new
installation of Maia (2 weeks old) in a corporate
environment and all is
working well. It is missing a lot of SPAM however when I
look at the
headers of a message classed as non-SPAM, the appropriate
rules are being
triggered. For example, 80% of junk messages getting
through as non-SPAM
are triggering the DRUGS_ERECTILE rule.
The above rule only has a score of 0.100. We changed the
score to 5.0 by
adding "score DRUGS_ERECTILE 5.0" (and others) to
local.cf and ran
sa-update.
We went in to the spam rule statistics view page and the
rules were updated
to a score of 5.0. All went well for about 5 minutes, and
all the rules we
changed went back to the original scores and SPAM is once
again getting
through.
I would really like to make the changes to the scores
permanent, as the
drugs rules would eliminate 80 to 90% of our SPAM company
wide. We even
tried going in to the appropriate mySQL table and editing
the scores, but
they soon reverted back.
Can anyone assist?
Regards,
Chris Nichols
_______________________________________________
Maia-users mailing list
Maia-users renaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Re: SpamAssassin Rule Scores |
 
United States |
2007-10-16 15:46:39 |
On Tue, 2007-10-16 at 09:03 +1000, Chris Nichols wrote:
> Hi all,
>
> We are having a small but frustrating issue with Maia.
We have a fairly new
> installation of Maia (2 weeks old) in a corporate
environment and all is
> working well. It is missing a lot of SPAM however when
I look at the
> headers of a message classed as non-SPAM, the
appropriate rules are being
> triggered. For example, 80% of junk messages getting
through as non-SPAM
> are triggering the DRUGS_ERECTILE rule.
>
> The above rule only has a score of 0.100. We changed
the score to 5.0 by
> adding "score DRUGS_ERECTILE 5.0" (and
others) to local.cf and ran
> sa-update.
Sounds like maybe you don't have any outside rules in play?
I found one
blocked today that also hit several others, are you using
Razor or
bayes? Try posting the message with headers so we can test
it...
maia=> select rule_score, rule_name from view_msg_scores
where id = 984380; rule_score | rule_name
------------+---------------------------
1.396 | MIME_QP_LONG_LINE
0.322 | DRUG_ED_CAPS
0.282 | DRUGS_ERECTILE
1.069 | DATE_IN_PAST_06_12
0.001 | HTML_MESSAGE
3.500 | BAYES_99
0.500 | RAZOR2_CHECK
0.500 | RAZOR2_CF_RANGE_51_100
1.500 | RAZOR2_CF_RANGE_E8_51_100
1.499 | URIBL_SBL
0.474 | URIBL_SC_SURBL
1.501 | URIBL_JP_SURBL
1.955 | URIBL_BLACK
3.100 | KAM_VIAGRA6
3.100 | KAM_VIAGRA7
(15 rows)
--
Robert
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Re: SpamAssassin Rule Scores |
United States |
2007-10-16 18:25:50 |
On Wed, 2007-10-17 at 08:21 +1000, Chris Nichols wrote:
> Thanks for your reply Robert.
>
> You are correct, I haven't installed any outside rules.
We are using Bayes.
>
> Here are the headers of one of the messages that got
through:-
>
> All this one triggered was the HTML_MESSAGE rule.
>
> There seem to be many different rule sets to chose
from, are any
> recommended over others?
Thess are our sa-update channels used....
esmtp# cat
/usr/local/etc/mail/spamassassin/sare-sa-update-channels.txt
70_sare_evilnum0.cf.sare.sa-update.dostech.net
70_sare_adult.cf.sare.sa-update.dostech.net
99_sare_fraud_post25x.cf.sare.sa-update.dostech.net
72_sare_bml_post25x.cf.sare.sa-update.dostech.net
70_sare_spoof.cf.sare.sa-update.dostech.net
70_sare_bayes_poison_nxm.cf.sare.sa-update.dostech.net
70_sare_oem.cf.sare.sa-update.dostech.net
70_sare_random.cf.sare.sa-update.dostech.net
70_sare_header0.cf.sare.sa-update.dostech.net
70_sare_html0.cf.sare.sa-update.dostech.net
70_sare_specific.cf.sare.sa-update.dostech.net
70_sare_obfu0.cf.sare.sa-update.dostech.net
72_sare_redirect_post3.0.0.cf.sare.sa-update.dostech.net
70_sare_genlsubj0.cf.sare.sa-update.dostech.net
70_sare_unsub.cf.sare.sa-update.dostech.net
70_sare_uri0.cf.sare.sa-update.dostech.net
70_sare_whitelist.cf.sare.sa-update.dostech.net
70_sare_whitelist_spf.cf.sare.sa-update.dostech.net
70_sare_stocks.cf.sare.sa-update.dostech.net
updates.spamassassin.org
--
Robert
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Re: SpamAssassin Rule Scores |
United States |
2007-10-16 18:28:35 |
On Wed, 2007-10-17 at 08:21 +1000, Chris Nichols wrote:
> Thanks for your reply Robert.
>
> You are correct, I haven't installed any outside rules.
We are using Bayes.
>
> Here are the headers of one of the messages that got
through:-
Here is our score on your message...
Content analysis details: (22.2 points, 5.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
4.3 RCVD_FORGED_WROTE2 RCVD_FORGED_WROTE2
2.5 RCVD_FORGED_WROTE Forged 'Received' header found
('wrote:' spam)
2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
bl.spamcop.net
[Blocked - see <ht
tp://www.spamcop.net/bl.shtml?195.135.236.11>]
0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a
abuseable web server
[195.135.236.11 listed in
dnsbl.sorbs.net]
3.0 RCVD_IN_XBL RBL: Received via a relay in
Spamhaus XBL
[195.135.236.11 listed in
zen.spamhaus.org]
0.0 BOTNET_BADDNS Relay doesn't have full circle
DNS
[botnet_baddns,ip=195.135.236.11,rdns=host11.236.m9com.ru]
0.0 BOTNET Relay might be a spambot or
virusbot
[botnet0.7,ip=195.135.236.11,hostname=host11.236.m9com.ru,ma
ildomain=fuse.net,baddns,client,ipinhostname]
0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP
address
[botnet_ipinhosntame,ip=195.135.236.11,rdns=host11.236.m9com
.ru]
0.0 BOTNET_CLIENT Relay has a client-like
hostname
[botnet_client,ip=195.135.236.11,hostname=host11.236.m9com.r
u,ipinhostname]
0.3 SARE_WEOFFER BODY: Offers Something
0.6 J_CHICKENPOX_82 BODY: 8alpha-pock-2alpha
1.7 SARE_OBFUSEXUAL BODY: masked spam word(s)
3.1 FRT_SEXUAL BODY: ReplaceTags: Sexual
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability
is 40 to 60%
[score: 0.5025]
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8
confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4
confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level
above 50%
[cf: 100]
--
Robert
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Re: SpamAssassin Rule Scores |
|
2007-10-16 18:37:12 |
Thanks for your help Robert,
Greatly appreciated.
Regards,
Chris
----- Original Message -----
From: "Robert Fitzpatrick" <listswebtent.net>
To: "Chris Nichols" <cnicholsfastair.com.au>
Cc: <maia-usersrenaissoft.com>
Sent: Wednesday, October 17, 2007 9:28 AM
Subject: Re: [Maia-users] SpamAssassin Rule Scores
> On Wed, 2007-10-17 at 08:21 +1000, Chris Nichols
wrote:
>> Thanks for your reply Robert.
>>
>> You are correct, I haven't installed any outside
rules. We are using
>> Bayes.
>>
>> Here are the headers of one of the messages that
got through:-
>
> Here is our score on your message...
>
> Content analysis details: (22.2 points, 5.0
required)
>
> pts rule name description
> ---- ----------------------
--------------------------------------------------
> 4.3 RCVD_FORGED_WROTE2 RCVD_FORGED_WROTE2
> 2.5 RCVD_FORGED_WROTE Forged 'Received' header
found ('wrote:' spam)
> 2.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
bl.spamcop.net
> [Blocked - see
> <ht
tp://www.spamcop.net/bl.shtml?195.135.236.11>]
> 0.6 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a
abuseable web server
> [195.135.236.11 listed in
dnsbl.sorbs.net]
> 3.0 RCVD_IN_XBL RBL: Received via a relay in
Spamhaus XBL
> [195.135.236.11 listed in
zen.spamhaus.org]
> 0.0 BOTNET_BADDNS Relay doesn't have full
circle DNS
>
>
[botnet_baddns,ip=195.135.236.11,rdns=host11.236.m9com.ru]
> 0.0 BOTNET Relay might be a spambot or
virusbot
>
[botnet0.7,ip=195.135.236.11,hostname=host11.236.m9com.ru,ma
ildomain=fuse.net,baddns,client,ipinhostname]
> 0.0 BOTNET_IPINHOSTNAME Hostname contains its own IP
address
>
>
[botnet_ipinhosntame,ip=195.135.236.11,rdns=host11.236.m9com
.ru]
> 0.0 BOTNET_CLIENT Relay has a client-like
hostname
>
>
[botnet_client,ip=195.135.236.11,hostname=host11.236.m9com.r
u,ipinhostname]
> 0.3 SARE_WEOFFER BODY: Offers Something
> 0.6 J_CHICKENPOX_82 BODY: 8alpha-pock-2alpha
> 1.7 SARE_OBFUSEXUAL BODY: masked spam word(s)
> 3.1 FRT_SEXUAL BODY: ReplaceTags: Sexual
> 0.0 HTML_MESSAGE BODY: HTML included in
message
> 0.0 BAYES_50 BODY: Bayesian spam
probability is 40 to 60%
> [score: 0.5025]
> 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8
confidence level
> above 50%
> [cf: 100]
> 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4
confidence level
> above 50%
> [cf: 100]
> 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence
level above 50%
> [cf: 100]
>
> --
> Robert
>
>
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Re: SpamAssassin Rule Scores |
United States |
2007-10-17 07:07:52 |
On Wed, 2007-10-17 at 11:56 +0200, Lulu wrote:
> Hi.. sorry for cutting in into your conversation, I'm
running Suse
> 10.0 and Maia Mailguard 1.0.2. I think I'm having the
same problem as
> Chris, I get mail with a score of 4 and it's spam, I
mark it spam and
> the next day it comes through eg;
You can create the file wherever you like, that was created
by us. Then
you need to setup sa-update to run in cron periodically to
update your
rules, here is our script we have running each night via
cron:
#!/bin/sh
/usr/local/bin/sa-update --channelfile
/usr/local/etc/mail/spamassassin/sare-sa-update-channels.txt
--gpgkey 856AA88A
/var/amavis/maia/scripts/load-sa-rules.pl
/usr/local/etc/scamp.sh
/usr/local/etc/rc.d/amavisd.sh restart
Note that all your commands will be in different locations
since you use
Linux where ours are mostly under /usr/local on our Unix
server. This
script runs sa-update using our channels file, updates maia
rules,
downloads new signatures for our added SaneSecurity virus
checks to our
ClamAV, and restarts amavisd for all changes to take
affect...
http:
//wiki.apache.org/spamassassin/RuleUpdates
http://rulesempor
ium.com/index.html
http://www.sanese
curity.com/clamav/
> Score
> Rule Triggered
> Explanation
> 1.639
> URIBL_SBL
> Contains an URL listed
> in the SBL blocklist
> 1.456
> RCVD_IN_SORBS_WEB
> SORBS: sender is a
> abuseable web server
> 1.393
> MSGID_FROM_MTA_ID
> Message-Id for external
> message added locally
>
Doesn't look like bayes is working, do you have it on in
your local.cf
file of spamassassin? I always look at the bayes_var table
in the sql
database to see if counts are being made and to make sure
ham is not
lopsided with spam.
--
Robert
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Re: SpamAssassin Rule Scores |
|
2007-10-22 18:59:44 |
Robert,
Just an update for you, all is working OK now, and once
again thanks for
your help.
We now have Bayes working properly as well as per the
following:-
Regards,
Chris Nichols
Subject: ***SPAM*** Viagra Shop
Date: Mon, 22 Oct 2007 21:45:14 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0003_01C81503.0379FD9F&qu
ot;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2663
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
X-Virus-Scanned: Maia Mailguard 1.0.2
X-Spam-Status: Yes, hits=31.988 tagged_above=1 required=3
tests=BAYES_99=3.5,
DRUGS_ERECTILE=5, DRUG_ED_CAPS=5, HTML_MESSAGE=0.001,
RCVD_IN_BL_SPAMCOP_NET=1.558, RCVD_IN_SORBS_WEB=1.456,
RCVD_IN_XBL=3.897,
SARE_SXLIFE=1.07, URIBL_BLACK=3, URIBL_OB_SURBL=3.008,
URIBL_SC_SURBL=4.498
X-Spam-Level: *******************************
X-Spam-Flag: YES
X-Antivirus: AVG for E-mail 7.5.488 [269.15.6/1086]
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
[1-7]
|
|