On Sat, 2006-01-14 at 20:55 -0500, Eben King wrote:
> > Two things I did....
> >
> > set in local.cf: (which was there in that file but commented out)
> >
> > use_bayes 1
>
> As mentioned in "perldoc Mail::SpamAssassin::Conf", right?
>
Indeed.
> > and in user_prefs (home or etc):
> >
> > # How many hits before a mail is considered spam. Default is 5.
> > required_hits 3
> >
> > which is depreciated in newer versions of SA but still works. The
> > replacement parameter is required_score. I bumped that down which
> > helped too. 5 was too high.
>
> Did you have to add that parameter, or just change it?
>
In SuSE it was there (local.cf) but commented out by default. In the
perldoc it describes this setting too. Definitely defaults to 5 so if
you think you need to bump down to a score thresh of 0 that's a long way
to go. I would imagine there's no decimal option for the thresh and it
would catch _all_ your mail. This would be the parameter to change
though. I set mine to 3. It catches the majority of it without
overdoing it for me.
> > Hopefully you are just dropping maybe-spam to a different box and not
> > dev/nulling it right?
>
> Correct, there are two mailboxes, "almost-certainly-spam" and
> "probably-spam". Only two messages have been pink enough to land in the
> former.
>
Ditto except I decided to drop both into one _spam_ folder. If I have
to look to confirm whether it's legit or not, I'd rather not have to go
through 2 separate mailboxes. And as you can see, not a lot gets tagged
as almost-certainly. But...as it gets smarter, this could change as the
bayes bumps up the score bar. You know, the other thing you can do is
assign higher values to the rules. If you see one that gets a hit in
the headers and it ID's the spam pretty well....give it a custom higher
score.
score SYMBOLIC_TEST_NAME n.nn [ n.nn n.nn n.nn ]
Assign scores (the number of points for a hit) to a given test. Scores
can be positive or negative real numbers or integers. "SYM‐
BOLIC_TEST_NAME" is the symbolic name used by SpamAssassin for that
test; for example, 'FROM_ENDS_IN_NUMS'.
also from the perldoc.
> > Look at the full headers of mail in your Inbox and see what SA inserts
> > after the X-Spam-Status. You might see what it put there on both spam
> > that got through and on legitimate mail. There should be something about
> > the required hits and bayes including what rules it hit on.
>
> grep ^X-Spam-Status mail/almost-certainly-spam mail/probably-spam mail/spam
> | cut -f 3 -d ' ' | cut -f 2 -d = | sort -n > spam-scores
>
> and likewise for ham. It looks as if a score threshold of 0 would catch
> between 87% and 96% of spam, with between 0 and 0.4% false positives,
> depending on where edge cases go.
0 ? really? gee wiz I usually get stuff like:
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on
mail.wackyworld.lan
X-Spam-Level: *************
X-Spam-Status: Yes, score=13.5 required=3.0 tests=BAYES_99,
DATE_IN_FUTURE_12_24,HELO_DYNAMIC_COMCAST,RCVD_IN_BL_SPAMCOP_NET,
RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no version=3.0.4
Content analysis details: (13.5 points, 3.0 required)
pts rule name description
---- ----------------------
--------------------------------------------------
3.7 HELO_DYNAMIC_COMCAST Relay HELO'd using suspicious hostname
(Comcast)
3.0 DATE_IN_FUTURE_12_24 Date: is 12 to 24 hours after Received: date
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.0000]
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
address
[69.142.58.121 listed in dnsbl.sorbs.net]
1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
<http://www.spamcop.net/bl.shtml?69.142.58.121>]
0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[69.142.58.121 listed in combined.njabl.org]
>
> > Obviously it looks in some order at local.cf, user_prefs (etc dir)
>
> Where is that file? Could it go by another name? I have these:
>
> [root@pc spamassassin]# ls /etc/mail/spamassassin/
> init.pre local.cf
>
It would be in the same spamassassin dir. I don't think it really
matters though as SA reads all of them and the same options seem to be
valid in all three files according to the docs. I set mine up sitewide
so I do everything out of /etc and fore-go the user dir files.
> > The only other question is how are you calling SA? Procmail? Daemon?
> > Some special feature of pine or mutt?
>
> Procmail.
>
> :0fw: spamassassin.lock
> * < 256000
> | spamassassin
>
> etc.
>
> A lot of mail handling is Greek to me, so I'm just following directions.
>
I did the same. Sitewide procmail (AntiVirus and Spamassassin) --> mbox
--> Users pop in to qpopper.
All seems to be right. I wonder what's up with the low scores?
Mike Branda Jr.
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:30:48 EDT