Spam Require Score

[Plurnay]

We notice and increase of spam lately

Even tho i think i have done my homework some of my coworkers are getting about 40 spam this weekend only (which could be worst but... you guys know how its is )

here some example of the x spam status of some emails spam that gets thru

X-Spam-Status: No, score=4.515 tagged_above=-10 required=5.6
tests=[AWL=-8.137, BAYES_95=3, MISSING_MID=0.001,
RCVD_IN_NIX_SPAM=0.5, RCVD_IN_PBL=0.905, RCVD_IN_SEMBLACK=0.5,
RCVD_IN_SPAMRATS_DYNA=2, RDNS_NONE=0.1, SPF_FAIL=0.693,
URIBL_BLACK=1.955, URIBL_SBL=1.499, URIBL_WS_SURBL=1.5] autolearn=no

X-Spam-Status: No, score=5.505 tagged_above=-10 required=5.6
tests=[BAYES_60=1, MISSING_MID=0.001, RCVD_IN_JMF_BL=1.5,
RCVD_IN_PBL=0.905, RCVD_IN_SEMBLACK=0.5, RDNS_NONE=0.1,
URIBL_SBL=1.499] autolearn=no

X-Spam-Status: No, score=4.357 tagged_above=-10 required=5.6
tests=[BAYES_50=0.001, RCVD_IN_PBL=0.905, RCVD_IN_SPAMRATS_NOPTR=2,w
RDNS_NONE=0.1, TVD_RCVD_SINGLE=1.351] autolearn=no

X-Spam-Status:
No, score=5.489 tagged_above=-10 required=5.6 tests=[AV:Sanesecurity.Spam.10765.UNOFFICIAL=0, AWL=-9.318, BAYES_99=3.5, CLAM_SS=2.5, MISSING_DATE=0.001, MISSING_MID=0.001, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_JMF_BL=1.5, RCVD_IN_NIX_SPAM=0.5, RCVD_IN_SEMBLACK=0.5, RCVD_IN_SORBS_WEB=0.619, RCVD_IN_XBL=3.033, SPF_FAIL=0.693] autolearn=spam

Now I know I could just lower my required scored... but I don't know how low is to much... so that we could be getting false positive.?


What do you guys use for your requirement score???
Do you guys sugest me something else i could do...

Thanks

[uxbod]

On two of those AWL (Auto White List) has driven down the score

Code:

AWL=-9.318

Have a look at /opt/zimbra/data/amavisd/.spamassassin as the files auto-whitelist*. You should be able to view them, and if not use strings on them, and see if you have some rogue addresses in there. If you do you can either strip them out or remove the polluted database all together using

Code:

zmamavisdctl stop
rm -f /opt/zimbra/data/amavisd/.spamassassin/auto-whitelist*
 zmamavisdctl start

[ewilen]

I seem to recall reading that AWL is removed altogether in the SA install included in 6.0.7. So an upgrade might be another way to go. The new SA also adjusts a number of other scores.

Have you run sa-update? Might help.

You could also increase the scoring for some of the blacklists. Personally I use a very high score for nixspam, and I'm thinking of increasing the score for uceprotect as well. (If you don't use uceprotect, do a search on the forum.)

You could also use b.barracudacentral.org either to score or (as I do) to block at the mta.

I use 4.4 as the required score.

[Plurnay]

thanks guys i will look at the AWL...
so do you guys think 5.6 is a bit high?

[ewilen]

Yes, I chose 4.4 based on observation. I could probably have gone lower. The nice thing about the Junk folder of course is that you can lower your required score without causing too much trouble if you overdo it. Just make sure your users understand how to unjunk email.

That said, the SA included in 6.0.7 has revised a number of scores quite a bit, and based on forum reports it seems to produce higher scores all by itself. Just something to keep in mind when you upgrade.

[ewilen]

By the way, this is where I read that AWL is disabled by default (not removed altogether) in the newer SA: Bug 44281 – Upgrade SpamAssassin to 3.3.1

According to the link, it can be enabled/disabled via a preference. I haven't investigated to see if Zimbra changes the preference to enable AWL.