Increased Spam detection

[rickvv]

I have one user who has seen an increase in "Suspect" spam messages, and these messages are actually false positives. Some of these messages are being tagged only a day after this user replied to original sender and the earlier msgs were not tagged as suspect.
How can I reset this user, so he doesn't get the false positives as frequently?
(He has not gotten used to checking spam folder after three years with Zimbra...this is not the time to start remedial training...
Thanks. Hope this makes sense.
rickvv

[uxbod]

Unfortunately you cannot as the Bayes database is shared between all users. What we could really do with seeing is the headers from one of those emails. I could be that another rule is triggering; and not actually the Bayes scoring them incorrectly.

[rickvv]

Found the headers. This seems to be the first one that the user didn't send to himself. I have another from one day previous that user sent to himself that was tagged
Return-Path: bounce@sminbound.zappos.com
Received: from smtp.creativelights.com (LHLO smtp.creativelights.com)
(10.0.0.1) by smtp.creativelights.com with LMTP; Sun, 25 Apr 2010 10:06:02
-0500 (CDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by smtp.creativelights.com (Postfix) with ESMTP id B20C59AEB91
for <michael@creative-lighting.com>; Sun, 25 Apr 2010 10:06:02 -0500 (CDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: YES
X-Spam-Score: 6.211
X-Spam-Level: ******
X-Spam-Status: Yes, score=6.211 tagged_above=-10 required=5.4
tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13,
DNS_FROM_RFC_DSN=1.495, FH_DATE_PAST_20XX=3.188, HTML_MESSAGE=0.001,
MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from smtp.creativelights.com ([127.0.0.1])
by localhost (smtp.creativelights.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id jc6XGKoWm0QP for <michael@creative-lighting.com>;
Sun, 25 Apr 2010 10:05:49 -0500 (CDT)
Received: from mta1.zappos.com (mta1.zappos.com [208.91.37.20])
by smtp.creativelights.com (Postfix) with ESMTP id E4E4A9AE8D9
for <michael@creative-lighting.com>; Sun, 25 Apr 2010 10:05:47 -0500 (CDT)
Received: from zappos.com ([192.168.66.150])
by mta1.zappos.com (StrongMail Enterprise 4.1.2(4.1.2-51177)); Sun, 25 Apr 2010 07:53:53 -0700
X-VirtualServer: zappos, mta1.zappos.com, 192.168.66.222
X-VirtualServerGroup: zappos
X-MailingID: 1219874987::129008::1271035955::60800::35910::3591 0
X-SMHeaderMap: mid="X-MailingID"
X-Mailer: StrongMail Enterprise 4.1.2(4.1.2-51177)
X-Destination-ID: michael@creative-lighting.com
X-SMFBL: bWljaGFlbEBjcmVhdGl2ZS1saWdodGluZy5jb20=
DomainKey-Signature: a=rsa-sha1;
c=nofws;
s=sm;
d=zappos.com;
q=dns;
b=GwlTpcd6vBLRx+KKAYUmr71HG6OAqdn3zrgx87sQKafpYtf7 +3L8hrhJlg1083GlENsiYFA4/TjK8ripYccXtGjScp0nCn4omJZIAJjx1C0tQ8nhnUodLSXAS+F vlVhS4oCByWZI1Tsq7mqLY4xPNy5DYzrcfbNOmDzufZ6j6uc=
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=zappos.com; s=sm;
i=@zappos.com; h=Content-Transfer-Encoding:Content-Type:Reply-To:
MIME-Version:Message-ID:Subjectate:To:From; bh=rCeaaU0rCvpzU36
yvc+4UB07gtc=; b=p42nZq0rit8Z46eYDa6D0/Yqj0mg0O3yA02cGk2GRojgcfF
amxFGY4nNdWlgN7CfPGUOJwMyTQZlS5VdgH2Uy1ggS3OMWcV09 3OYoCRYQk/Wrpj
08B3Y2bsfG9Ag8pDNDZLqdg1i31hwEpT7ucv6pH12UPDWdEZrP WHRjbHANhs=
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative;
boundary="----=_NextPart_0FF_C71C_7ABF196A.5E4DB968"
Reply-To: <customerservice@zappos.com>
MIME-Version: 1.0
Message-ID: <1219874987.35910@zappos.com>
Subject: [SUSPECT]Your Zappos.com Password
Date: Sun, 25 Apr 2010 07:53:39 -0700
To: michael@creative-lighting.com
From: Zappos.com <customerservice@zappos.com>


------=_NextPart_0FF_C71C_7ABF196A.5E4DB968
Content-Type: text/plain;
charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Quote:

Originally Posted by uxbod

Unfortunately you cannot as the Bayes database is shared between all users. What we could really do with seeing is the headers from one of those emails. I could be that another rule is triggering; and not actually the Bayes scoring them incorrectly.

[rickvv]

Here's one that user sent to himself via a Zimbra DistributionList. AMAvis tagged it? (Hmm...something about "FH_DATE_PAST_20XX=3.188" looks suspicious. Would this be the time setting on his laptop?)
===
Return-Path: michael@creative-lighting.com
Received: from smtp.creativelights.com (LHLO smtp.creativelights.com)
(10.0.0.1) by smtp.creativelights.com with LMTP; Sat, 24 Apr 2010 12:59:42
-0500 (CDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by smtp.creativelights.com (Postfix) with ESMTP id 71B03114069;
Sat, 24 Apr 2010 12:59:42 -0500 (CDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: YES
X-Spam-Score: 5.831
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.831 tagged_above=-10 required=5.4
tests=[AWL=0.370, BAYES_20=-0.74, DNS_FROM_OPENWHOIS=1.13,
FH_DATE_PAST_20XX=3.188, HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905,
RCVD_IN_SORBS_DUL=0.877, RDNS_NONE=0.1]
Received: from smtp.creativelights.com ([127.0.0.1])
by localhost (smtp.creativelights.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id BK3j0wmVWNoS; Sat, 24 Apr 2010 12:59:33 -0500 (CDT)
Received: from smtp.creativelights.com (localhost.localdomain [127.0.0.1])
by smtp.creativelights.com (Postfix) with ESMTP id 2E95A11404F
for <allsales@creative-lighting.com>; Sat, 24 Apr 2010 12:59:33 -0500 (CDT)
Date: Sat, 24 Apr 2010 12:59:33 -0500 (CDT)
From: Michael Minsberg <michael@creative-lighting.com>
To: AllSales <allsales@creative-lighting.com>
Message-ID: <20370157.41272131510203.JavaMail.SYSTEM@acerlap >
In-Reply-To: <880813.748601272127256648.JavaMail.root@smtp>
Subject: [SUSPECT]Fwd: recessed and track lighting
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_4_19318917.1272131510187"
X-Originating-IP: [75.161.143.120]

------=_Part_4_19318917.1272131510187
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

[moren]

You suffer from two known bugs in SPAM-detection (FH_DATE_PAST_20XX=3.188) and (DNS_FROM_OPENWHOIS=1.13).

See the Sticky thread in this forum "[SOLVED] FH_DATE_PAST_20XX - Spamassassin bug - incorrect tagging from Jan 1, 2010" and seach forums/bugzilla for DNS_FROM_OPENWHOIS.

Bugid:45625 - Bug 45625 &ndash; remove OPENWHOIS references from spamassasin config

[rickvv]

One more thing. User is on ZimbraDesktop client, not standard Web client.
Sorry to have left that out. Make a difference?
(I've just asked user to give me time/date from his laptop).
rickvv

[rickvv]

I just googled that FH_DATE_PAST tag.
I'll look at what I need to do.
Might be a good time to take my Zimbra up to 6.x
Thanks,
rickvv

Quote:

Originally Posted by moren

You suffer from two known bugs in SPAM-detection (FH_DATE_PAST_20XX=3.188) and (DNS_FROM_OPENWHOIS=1.13).

See the Sticky thread in this forum "[SOLVED] FH_DATE_PAST_20XX - Spamassassin bug - incorrect tagging from Jan 1, 2010" and seach forums/bugzilla for DNS_FROM_OPENWHOIS.

[moren]

In the treads there are quick "work arounds" to fix this before upgrade. ie set FH_DATE_PAST_20XX score to 0.0 and for the openwhios there are ways to stop using the obsolete openwhois service.