More Spam after upgrading to 6.0.5

**swrightsls** · 04-07-2010, 11:57 AM

Ok, got two spam in the junk folder, and the headers show it seems to be working:

X-Spam-Status: Yes, score=13.668 tagged_above=-10 required=4
tests=[BAYES_60=1, MISSING_DATE=0.001, MISSING_HEADERS=1.292,
MISSING_MID=0.001, MISSING_SUBJECT=1.762, RCVD_IN_PBL=0.905,
RCVD_IN_SORBS_WEB=0.619, RCVD_IN_SPAMRATS_NOPTR=2, RCVD_IN_XBL=3.033,
RDNS_NONE=0.1, SEM_URI=0.5, SEM_URIRED=0.5, URIBL_BLACK=1.955]
autolearn=spam

**uxbod** · 04-07-2010, 12:00 PM

You can add this one as-well to your arsenal

Code:

################################################################################
# NIX SPAM RBL (http://www.dnsbl.manitu.net/)
################################################################################
header          RCVD_IN_NIX_SPAM       eval:check_rbl('nix-spam-lastexternal','ix.dnsbl.manitu.net.')
describe        RCVD_IN_NIX_SPAM       Listed in NIX-SPAM DNSBL (heise.de)
tflags          RCVD_IN_NIX_SPAM       net
score           RCVD_IN_NIX_SPAM       0.5

**swrightsls** · 04-07-2010, 12:00 PM

Here is the link from one that didn't get caught earlier today. This was before adding the extra DNSBL checks:

Email Info - rdn4c1j9

**uxbod** · 04-07-2010, 12:05 PM

Cool .. I score at 8.76 so hopefully your new checks will sort things out for you a bit

**ewilen** · 04-07-2010, 12:31 PM

EDIT: Cross-posted with the last several posts...

Originally Posted by swrightsls

I did do a zmamavisdctl reload - is that enough?

Possibly not. You can look in salocal.cf to see if the changes made it through. In my case I went ahead and restarted zimbra entirely because it looked like they didn't. For me this seems to be a change from 5.x.

What is the significance of the 'autolearn' tag?

Good question. There is a settable numeric threshold which if exceeded will result in SA using the message for its Bayesian learning. The default is pretty high, and it's found in /opt/zimbra/conf/spamassassin/10_default_prefs.cf

It actually has three settings:

Code:

bayes_auto_learn_threshold_nonspam  0.1
bayes_auto_learn_threshold_spam             12.0
bayes_auto_learn                    1

The version of SA included in 6.0.5 seems to add some rules (or maybe it's just new reporting). In short there are some exceptions to the simple numeric threshold:

Originally Posted by relevant lines from selected files in /opt/zimbra/conf/spamassassin/

10_default_prefs.cf:# UNDISC_RECIPS autolearn=spam version=2.60-cvs
10_default_prefs.cf:add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_"

20_body_tests.cf:tflags GTUBE userconf noautolearn

60_awl.cf:tflags AWL userconf noautolearn
60_shortcircuit.cf:add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ shortcircuit=_SCTYPE_ autolearn=_AUTOLEARN_ version=_VERSION_"
60_whitelist.cf:# Note that most of these get 'noautolearn'. They should not be
60_whitelist.cf:# considered when deciding whether to auto-learn a message, as a
60_whitelist.cf:# user slip-up could result in scribbling side-effects in the bayes
60_whitelist.cf:# db as a result -- which is hard to remedy.

60_whitelist.cf:tflags USER_IN_BLACKLIST userconf noautolearn
60_whitelist.cf:tflags USER_IN_WHITELIST userconf nice noautolearn
60_whitelist.cf:tflags USER_IN_DEF_WHITELIST userconf nice noautolearn
60_whitelist.cf:tflags USER_IN_BLACKLIST_TO userconf noautolearn
60_whitelist.cf:tflags USER_IN_WHITELIST_TO userconf nice noautolearn
60_whitelist.cf:tflags USER_IN_MORE_SPAM_TO userconf nice noautolearn
60_whitelist.cf:tflags USER_IN_ALL_SPAM_TO userconf nice noautolearn
60_whitelist_dk.cf:tflags USER_IN_DK_WHITELIST userconf nice noautolearn net
60_whitelist_dk.cf:tflags USER_IN_DEF_DK_WL userconf nice noautolearn net
60_whitelist_dk.cf:tflags ENV_AND_HDR_DK_MATCH userconf nice noautolearn net
60_whitelist_dkim.cf:tflags USER_IN_DKIM_WHITELIST userconf nice noautolearn net
60_whitelist_dkim.cf:tflags USER_IN_DEF_DKIM_WL userconf nice noautolearn net
60_whitelist_dkim.cf:tflags ENV_AND_HDR_DKIM_MATCH userconf nice noautolearn net
60_whitelist_spf.cf:tflags USER_IN_SPF_WHITELIST userconf nice noautolearn
60_whitelist_spf.cf:tflags USER_IN_DEF_SPF_WL userconf nice noautolearn
60_whitelist_spf.cf:tflags ENV_AND_HDR_SPF_MATCH userconf nice noautolearn
60_whitelist_subject.cf:# Note that most of these get 'noautolearn'. They should not be
60_whitelist_subject.cf:tflags SUBJECT_IN_WHITELIST userconf nice noautolearn
60_whitelist_subject.cf:tflags SUBJECT_IN_BLACKLIST userconf noautolearn

More info: Mail::SpamAssassin::Conf - SpamAssassin configuration file and Mail::SpamAssassin::Plugin::AutoLearnThreshold - threshold-based discriminator for Bayes auto-learning

This probably explains why I'm seeing "autolearn=spam" on some messages and "autolearn=no" on others, even though they have similar scores. However I seem to remember seeing some mail items marked as "autolearn=spam" even though their scores were less than 12. I don't have any samples at the moment to investigate, though.

**swrightsls** · 04-07-2010, 01:23 PM

Here's another very spammy email that just came through:

ATM

**ewilen** · 04-07-2010, 05:16 PM

Update on my previous note, it seems that another reason a message may autolearn (or not) even though it's below/above the default threshold is this:

[...]the score used to trigger autolearning is somewhat different than the one reported in the final score; therefore a score displayed in the headers that obstensibly should trigger autolearning will not do so. Again, use the "-D" flag to SpamAssassin, and you will see the score that is used to determine whether or not autolearning will be triggered.

Finally, SpamAssassin requires at least 3 points from the header and 3 points from the body, to auto-learn as spam. If either section contributes fewer points, the message will not be auto-learned.

And regarding the actual header message, this is controlled by amavisd-new, not spamassassin, and was implemented in amavisd-new 2.6.2 See http://www.ijs.si/software/amavisd/release-notes.txt

- insert autolearn=... information field into an X-Spam-Status header field,
similar to how SpamAssassin does it; suggested by Jonathan Skanes;

ZCS 5.0.20 I believe uses amavisd-new 2.5.4, so that's why I'm seeing the change.

**wdman** · 04-08-2010, 12:28 AM

After upgrading from 6.04 to 6.05 I get more spam to Inbox.

Also the mj doesn't seem to work when used from search results. It does move the email from search result, but the email doesn't get moved to Junk folder.

(There's no "moved 1 email to Junk" AJAX notification when doing the mj command).

**uxbod** · 04-08-2010, 02:31 AM

Why do you believe you are getting more SPAM ? Any examples ? Did you make any custom changes before ?

With respect to the keyboard shortcut have you checked Bugzilla Main Page - Zimbra to see if it has been filed ? and if it has not go ahead and raise one.

**wdman** · 04-11-2010, 06:33 AM

AJAX notification seems to appear with 6.06.

When marking spam as Junk - either via "mj" or selecting "Junk" - the message gets marked as NOT Spam/Junk. This happens with saved search "is:unread".
Probably related to Bug 45906 – Junk button not working correctly

Zimbra

Thread: More Spam after upgrading to 6.0.5

LinkBack

Thread Tools

Search Thread

Display

Thread Information

Users Browsing this Thread

Similar Threads

Upgrading 5.0.21 -> 6.0.5 SSL Server Certs Changed

Most of mails showing SPAM & discarded

SPAM getting through check_recipient_access after upgrading 5.0.7->5.0.13

Weird behaviors and LOTS of spam.

Major SPAM to one account

Posting Permissions