spam assassin rules

[bbarrons]

I need help. I just cant seem to get a good handle on the spam. I followed the wiki on spam settings, I added different .cf files to the /opt/zimbra/conf/spamassassin and then restarted zimbra but I cant for the life of me get it to stop viagara emails! They always go to the inbox also, not to the spam folder. Spam is way down since I went thru the wiki, I mean users are now only getting 3 or 4 spams a day compared to 20 or 30 so I know something is working. So, I need to know, if I download a .cf file into the /conf/spam assassin folder if that is the correct place to put it? I am not by any mean a spam assassin or even a zimbra guru so I would love to be able to not have to spend so much time working on this....... What info can I provide that will help figure this out?
thanks
Bill B

[uxbod]

Are they emails with a embedded image (flag type) by any chance ? Search the forums for spamassassin and sanesecurity.

[veronica]

Did you try blocking on word scan for ****** ?

[uxbod]

If you could post a example of one of the emails, including all headers, then I can run it through my setup. I have multiple SPAM blocking techniques in place and will be in a better position to advice.

[veronica]

Also you might want to tune scores for some rules.

[uxbod]

Until we know what type of SPAM it is very difficult to tune SA scores without the potential of introducing FPs.

[bbarrons]

Quote:

Originally Posted by uxbod

Until we know what type of SPAM it is very difficult to tune SA scores without the potential of introducing FPs.

Sorry about that. I didnt see any replies and thought no one was looking to help. I will have to log into the server and get some examples to post. I did notice that one of the spams with viagara was a gif.
I will get some info and post it here soon.
thank you
Bill

[bbarrons]

Return-Path: tbarrons@stmarysstclair.org
Received: from ms1.stmarysstclair.org (LHLO ms1.stmarysstclair.org)
(192.168.3.5) by ms1.stmarysstclair.org with LMTP; Sat, 12 Sep 2009
21:40:56 -0400 (EDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by ms1.stmarysstclair.org (Postfix) with ESMTP id A736E264004
for <tbarrons@stmarysstclair.org>; Sat, 12 Sep 2009 21:40:56 -0400 (EDT)
X-Quarantine-ID: <rIaaMvwOdDgc>
X-Virus-Scanned: amavisd-new at ms1.stmarysstclair.org
X-Amavis-Alert: BAD HEADER, Non-encoded 8-bit data (char A9 hex): From: \251
****** \256 Offic[...]
Received: from ms1.stmarysstclair.org ([127.0.0.1])
by localhost (ms1.stmarysstclair.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id rIaaMvwOdDgc for <tbarrons@stmarysstclair.org>;
Sat, 12 Sep 2009 21:40:49 -0400 (EDT)
Received: from 198-236-124-91.pool.ukrtel.net (198-236-124-91.pool.ukrtel.net [91.124.236.198])
by ms1.stmarysstclair.org (Postfix) with SMTP id C2AF8264003
for <tbarrons@stmarysstclair.org>; Sat, 12 Sep 2009 21:40:48 -0400 (EDT)
From: � ****** � Official Site <tbarrons@stmarysstclair.org>
To: tbarrons@stmarysstclair.org
Subject: Dear tbarrons@stmarysstclair.org 74% 0FF on Pfizer !
MIME-Version: 1.0
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <20090913014048.C2AF8264003@ms1.stmarysstclair.org >
Date: Sat, 12 Sep 2009 21:40:48 -0400 (EDT)


http://www.gsexeyuk.cn/1.gif

[bbarrons]

here is a screenshot of my admin graphs..... how does this compare to others?Screenshot-1.jpg

[uxbod]

Not seen one of those image SPAMs for a while ... They are one of the first iterations and can easily be caught by using FuzzyOCR.