spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jdow <j...@earthlink.net>
Subject Re: Calling spamassassin directly yields very different results than calling spamassassin via amavis-new
Date Mon, 14 Jan 2013 23:41:31 GMT
On 2013/01/14 12:59, Ben Johnson wrote:
>
>
> On 1/14/2013 2:49 PM, RW wrote:
>> On Mon, 14 Jan 2013 13:24:55 -0500
>> Ben Johnson wrote:
>>
>>
>>> A clear pattern has emerged: the X-Spam-Status headers for very
>>> obviously spammy messages never contain evidence that network tests
>>> contributed to their SA scores.
>>>
>>> Ultimately, I need to know whether:
>>>
>>> a.) Network tests are not being run at all for these messages
>>>
>>> b.) Network tests are being run, but are failing in some way
>>>
>>> c.) Network tests are being run, and are succeeding, but return
>>> responses that do not contribute to the messages' scores
>>>
>>> I've had a look at the log entries to which I link in my previous
>>> message and I just need a little help interpreting the "dns" and
>>> "async" messages.
>>
>> As I said before, it's not unusual for snowshoe spam to hit no net
>> tests at all. Also obvious spam isn't any more likely to be in a
>> blocklist than less obvious spam.
>>
>> However,  try adding this to your SpamAssassin configuration, and
>> restart the appropriate daemon:
>>
>> header   RCVD_IN_HITALL     eval:check_rbl('hitall-lastexternal', 'ipv4.fahq2.com.')
>> tflags   RCVD_IN_HITALL     net
>> score    RCVD_IN_HITALL     0.001
>>
>>
>> It should add a dns test that is hit for all mail delivered from an
>> IPv4 address.
>>
>
> Thanks, RW.
>
> I understand that snowshoe spam may not hit any net tests. I guess my
> confusion is around what, exactly, classifies spam as "snowshoe".
>
> Are most/all of the BL services hash-based? In other words, if a known
> spam message was added yesterday, will it be considered "snowshoe" spam
> if the spammer sends the same message today and changes only one
> character within the body?
>
> If so, then I guess the only remedy here is to focus on why Bayes seems
> to perform so miserably. It must be a configuration issue, because I've
> sa-learn-ed messages that are incredibly similar for two days now and
> not only do their Bayes scores not change significantly, but sometimes
> they decrease. And I have a hard time believing that one of my users is
> sa-train-ing these messages as ham and negating my efforts.
>
> I have ensured that the spam token count increases when I train these
> messages. That said, I do notice that the token count does not *always*
> change; sometimes, sa-learn reports "Learned tokens from 0 message(s) (1
> message(s) examined)". Does this mean that all tokens from these
> messages have already been learned, thereby making it pointless to
> continue feeding them to sa-learn?
>
> If I receive one more uncaught message about how some mom is angering
> doctors by doing something crazy to her face, I'm going to hunt-down the
> ****er and rip her face OFF.
>
> Finally, I added the test you supplied to my SA configuration, restarted
> Amavis, and all messages appear to be tagged with RCVD_IN_HITALL=0.001.

As much as I might applaud that sentiment I'd like to note two things.
First, it might involve just a whole lot of nasty paperwork and unpleasant
contact with authorities. Second the energy wasted doing that might have
been better spent had you learned how to create rules and recognize the
elements of a spam that are likely to be relatively unique so you can
create rules for it.

After awhile creating rules to knock down such "stuff" can become fun.
(Then after a longer while it gets "old", sigh.)

Another thing to learn in the process is that what you consider to be
spam is another person's (jerk's?) ham. So crafting rules needs to be
done with care if you're filtering for more than one person. Erm, of
course this is what allowing per user rules is good for.

{^_^}

Mime
View raw message