Spam Tag/Bayes Filter weirdness

[SpecialKdkj]

In trying to figure out why certain spam was getting through for certain users, I came across an interesting phenomenon. Take a look at these two spam headers for two spam emails that came at roughly the exact same time. Notice that the "required" level for each is different. In the admin side I've set the tag percent to 20, so the required should be 4:

Code:

X-Virus-Scanned: amavisd-new at 
X-Spam-Flag: YES
X-Spam-Score: 7.54
X-Spam-Level: *******
X-Spam-Status: Yes, score=7.54 tagged_above=-10 required=6.6
	tests=[BAYES_99=3.5, DRUGS_ERECTILE=0.282, DRUGS_ERECTILE_OBFU=1.229,
	FH_HELO_EQ_D_D_D_D=0.001, FUZZY_CPILL=0.001,
	HELO_DYNAMIC_IPADDR=2.426, HS_INDEX_PARAM=0.001, RDNS_DYNAMIC=0.1]

Code:

X-Virus-Scanned: amavisd-new at 
X-Spam-Flag: YES
X-Spam-Score: 19.141
X-Spam-Level: *******************
X-Spam-Status: Yes, score=19.141 tagged_above=-10 required=4
	tests=[BAYES_99=6.5, DATE_IN_PAST_06_12=1.069,
	FORGED_MUA_OUTLOOK=3.116, INVALID_MSGID=1.9,
	RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.5,
	RAZOR2_CHECK=2.5, RDNS_DYNAMIC=0.1, STOX_REPLY_TYPE=0.001,
	URIBL_BLACK=1.955]

It looks as though somewhere the system is still tagging messages at the default of 33% (or 6.6), as shown by the first message. Even weirder still is I think that the rogue tag value is only happening for one or two particular users - people who are still complaining about spam. Also, the BAYES_99 value is different for each as well. One uses the higher value I have set and the other uses the default.

Any ideas?

[SpecialKdkj]

Is it ethical to bump? Hmm... a real life equivalent to "the squeaky wheel gets the grease", perhaps?

[dwmtractor]

Sure it's ethical to bump. Sorry I didn't notice this one sooner since spam is one of my hot buttons. . .

I'm guessing here, but where do you have your settings tweaked? If in /opt/zimbra/conf/spamassassin/local.cf (or other .cf files--which ones?), are there any odd permission issues on those files? The tag/kill percentages--have you set them in the admin gui, at the command line, or by editing files?

Except for that change in the gui, I have made all my changes in local.cf (and I keep a backup of it since it gets overwritten with every upgrade) and it has straight-across read permissions only. I don't touch any of the other cf files except to read them and learn syntax of things that I then override with settings in local.cf. That process has worked reliably for me.

Since you are network edition you have the right to get tech support right from the horse's mouth too, remember.

Cheers,

Dan

[SpecialKdkj]

I haven't checked permissions but the tag/kill settings were made in the admin GUI. I have changed a lot of settings you've suggested in your posts (like BAYES score values, etc.), but I'm not sure of the permissions. Is the best way to correct that to chown those files to zimbra user?

[dwmtractor]

Quote:

Originally Posted by SpecialKdkj

I haven't checked permissions but the tag/kill settings were made in the admin GUI. I have changed a lot of settings you've suggested in your posts (like BAYES score values, etc.), but I'm not sure of the permissions. Is the best way to correct that to chown those files to zimbra user?

Yes, but do an ls -l on the directory first and see if they really *do* have other owners and/or permissions. They shouldn't be changing.