Help dealing with spam
I'm trying to understand how the spam checker works and am hoping someone can clear up a few things.
1) Admin guide speaks of using the "Junk" button when spam makes it's way into the inbox. This will help "learning" of what to classify as spam and what not to. Does that button do something special or does the act of moving mail to the junk folder accomplish the same thing? Specifically, if I use Thunderbird or some other app to move mail to the junk folder will the "learning" aspect still be accomplished?
I guess the same sort of questions apply to items mistakenly marked as spam.
2) Tweaking the filters... Are there some guidelines to how to do this? I have the settings on Kill 75 and Tag 33. (Default?) With these setting stuff is getting caught, but I have one user that is still getting a larger amount of spam in the Inbox than I'd like. I've seen mention of looking in the headers to determine the ratings that were given, but I'm not sure what I'm looking for and if what I see is good or bad. Is there a discussion somewhere that might help me further tweak Zimbra?
Well, it depends which release you're on. The current release also has DSPAM to catch stuff, anything in the junk folder will be run through zmtrainsa on a daily basis (a cron job is run overnight).
I have my kill/tag filters set at 66/25 respectively and that catches almost all of the spam, I think I get about one message per week that it's unsure of and ends up in the junk folder automatically. Those settings are good for me but you'll have to set them to your own levels, it's a balancing act between getting most of the spam (you'll never get it all) and not catching any innocent mail.
You could also have a look at setting-up some additional filter by using rules_du_jour, have a look through the forums and the wiki for some info, I also have these installed.
Thanks Bill. I'm on the newest 3.1 level and have set up the rules to disallow the spam lists (except for one that was denying legit mail).
zmsatrain actually only looks at the spam and ham mailboxes. So you must use the 'Junk' and 'Not Junk' buttons to get training to take effect. If you just move things to Junk with an IMAP client it doesn't trigger a reference to go into the spam/ham mailboxes.
You can run zmsatrain manually and point to your Junk folder if you'd like. This will make sure all the mail in your junk folder is counted and trained. Best way in general is teach user's to use the Junk/Not Junk buttons and you'll have an admin free way of training and keeping your spam training current.
For the headers just use a 'View Original' in the web client. You'll see several headers from DSPAM and SA. I check any Spam's that get into my inbox and look for test that are giving a positive score. You'll also see the SPAM value and how close it was to your current settings. An example is like this:
You see here this is a very *spammy* message. All the tests that triggered a positive spam vote and it triggered several RBLs, both SA and DSPAM's highest spam value. Got scored an 11.2 but only needed a 4 to be considered spam.
X-DSPAM-Processed: Wed May 10 22:36:20 2006
X-Virus-Scanned: amavisd-new at mail.example.com
X-Spam-Status: Yes, score=11.261 tagged_above=-10 required=4 autolearn=no
tests=[BAYES_95=3, DSPAM_SPAM=0.5, RCVD_IN_BL_SPAMCOP_NET=1.558,
RCVD_IN_XBL=3.897, UNPARSEABLE_RELAY=0.001, X_IP=2.305]
FYI our internal Zimbra server's Tag/Kill is -> Tag: 20 Kill: 75
Sorry, my error - I had a cron job running against my junk mailbox for a while and forgot to remove it. :o As KevinH said, it's only for the training mailboxes.
Ok, here's one I got today and am not sure I understand. It seems DSPAM knew it was spam, but it didn't get marked that way. Why not?
Free website offer...
And a stock pick....
X-DSPAM-Processed: Wed May 10 20:20:09 2006
X-Virus-Scanned: amavisd-new at
X-Spam-Status: No, score=5.826 tagged_above=-10 required=6.6 autolearn=no
tests=[DNS_FROM_AHBL_RHSBL=0.306, DSPAM_SPAM=0.5, SUBJ_YOUR_OWN=0.127,
X-DSPAM-Processed: Wed May 10 18:04:24 2006
X-Virus-Scanned: amavisd-new at
X-Spam-Status: No, score=5.682 tagged_above=-10 required=6.6 autolearn=no
tests=[DSPAM_HAM=-0.1, RCVD_IN_NJABL_DUL=1.713, RCVD_IN_SORBS_DUL=1.988,
Both of those are getting very heavy SPAM votes. in the 5.6 range. With the Zimbra settings they would have been spam, since we only require a score of 4. Your settings (the default) require 6.6 so needs to be more spammy for them to get marked as spam.
The way we use DSPAM is it's just another vote in the voting system. A DSPAM vote for spam is counted a little heavier than a ham vote. Just want the SA wiki recommends.
I know I'm a little slow here so I appreciate your patience. You are saying that lowering the tag/kill numbers from 33/75 to 20/75 would have made those messages be marked as spam? Perhaps I don't understand what those numbers represent, but I was thinking bigger numbers meant more aggressive toward spam. Guess I was backwards...
Cutigersfan, I see that there is no sign of bayes tests in your headers. This is quite strange because bayes should be turned on by default. Be sure to check this, because bayes will add its score and then total score will easier get over your 6.6 threshold. Do not forget to teach bayes what is spam and what is not, at least in the beginning. Refer to spamassassin documentation on its web (spamassassin.apache.org). Be carefull to not lower your threshold too much until bayes and dspam are sufficiently trained, or you may get some false positives which would be bad.