Re: [AMaViS-user] Bayes - Learning Question

Fri, 09 Dec 2005 06:40:19 -0800 

Gary V wrote:


Gerry wrote:


Also, not much spam is getting autolearned:

su amavis -c 'sa-learn --dump magic'
0.000          0          3          0  non-token data: bayes db version
0.000          0         29          0  non-token data: nspam
0.000          0       1548          0  non-token data: nham


This is scary. Spam often outpaces ham nearly 10 to 1. If you really
only get this much spam coming in the front door, are you sure you
need SpamAssassin? Is the mail cleaned before amavisd-new sees it?

Do you also see ALL_TRUSTED in the headers of mail that is sent to you
from outside your network?

Gary V
Thanks Gary...I do not see ALL_TRUSTED in the headers. I ran a count on the amount of spam we've received in the last three days where the score is above 6 (default) and there are 850 messages. I have quarantine set to 12. Below are the headers of spam received on my account where I am a little more strict with tag level (3), a ham message from yahoo, and a snip of the maillog from that message. Thanks! 

Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from localhost (localhost.localdomain [127.0.0.1])
        by mail.nicomtech.com (Postfix) with ESMTP id 469CDFE8584
        for <[EMAIL PROTECTED]>; Fri,  9 Dec 2005 06:48:04 -0500 (EST)
Received: from mail.nicomtech.com ([127.0.0.1])
by localhost (mail.nicomtech.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 19188-03 for <[EMAIL PROTECTED]>;
Fri,  9 Dec 2005 06:48:04 -0500 (EST)
Received: from maychu (unknown [203.162.25.87])
        by mail.nicomtech.com (Postfix) with SMTP id 5E5E6FE8583
        for <[EMAIL PROTECTED]>; Fri,  9 Dec 2005 06:47:55 -0500 (EST)
Message-ID: <[EMAIL PROTECTED]>
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: ***SPAM*** 2: ALL MAJOR DESIGNER REPLICA //ATCHES!     Save $32
Date: Fri, 09 Dec 2005  18:47:41 +0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0011_01C5FCF1.08A5F920"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Virus-Scanned: amavisd-new at nicomtech.com
X-Spam-Status: Yes, score=4.771 tagged_above=-999 required=3
tests=[FUZZY_ROLEX=2.193, HTML_60_70=0.29, HTML_MESSAGE=0.001,
MIME_HTML_MOSTLY=1.703, MIME_QP_LONG_LINE=0.159, MPART_ALT_DIFF=0.425]
X-Spam-Score: 4.771
X-Spam-Level: ****
X-Spam-Flag: YES
Status: RO

****
From - Fri Dec 09 09:14:22 2005
X-Account-Key: account2
Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]

Delivered-To: [EMAIL PROTECTED]
Received: from localhost (localhost.localdomain [127.0.0.1])
        by mail.nicomtech.com (Postfix) with ESMTP id B404DFE8587
        for <[EMAIL PROTECTED]>; Fri,  9 Dec 2005 09:09:58 -0500 (EST)
Received: from mail.nicomtech.com ([127.0.0.1])
by localhost (mail.nicomtech.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 21908-11 for <[EMAIL PROTECTED]>;
Fri,  9 Dec 2005 09:09:58 -0500 (EST)
Received: from web34609.mail.mud.yahoo.com (web34609.mail.mud.yahoo.com 
[209.191.68.143])
        by mail.nicomtech.com (Postfix) with SMTP id 2854CFE8585
        for <[EMAIL PROTECTED]>; Fri,  9 Dec 2005 09:09:57 -0500 (EST)
Received: (qmail 60233 invoked by uid 60001); 9 Dec 2005 14:09:56 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
 s=s1024; d=yahoo.com;
 
h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
 
b=kdizhcJLPiilP6QTGby5VxZZao2XlQX8zd0JwwIL2WoMpX6PHjAlO++LP2uC5InSdWD7oWD+6IGjjQu7f6IUGqP6ftqxS403p9cq6KDZXhwhDh/4JMAZR3EJ51E+IFG/Sd8XXfVgi1oV8SjvuC5vRiM1Iwc+HFs4EZXP2dzqDBQ=
  ;
Message-ID: <[EMAIL PROTECTED]>
Received: from [64.9.81.2] by web34609.mail.mud.yahoo.com via HTTP; Fri, 09 Dec 
2005 06:09:56 PST
Date: Fri, 9 Dec 2005 06:09:56 -0800 (PST)
From: Gerry McOmber <[EMAIL PROTECTED]>
Subject: Test Email
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-291847347-1134137396=:59529"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: amavisd-new at nicomtech.com
X-Spam-Status: No, score=0.263 tagged_above=-999 required=6 tests=[AWL=-0.028,
HTML_60_70=0.29, HTML_MESSAGE=0.001]
X-Spam-Score: 0.263
X-Spam-Level: X-IMAPbase: 1133920243 103 
Status: O
X-UID: 103
Content-Length: 732
X-Keywords: 
****
Dec 9 09:09:57 mail postfix/smtpd[22732]: connect from web34609.mail.mud.yahoo.com[209.191.68.143] Dec 9 09:09:58 mail postfix/smtpd[22732]: 2854CFE8585: client=web34609.mail.mud.yahoo.com[209.191.68.143] Dec 9 09:09:58 mail postfix/cleanup[23193]: 2854CFE8585: message-id=<[EMAIL PROTECTED]> Dec 9 09:09:58 mail postfix/qmgr[2502]: 2854CFE8585: from=<[EMAIL PROTECTED]>, size=1843, nrcpt=1 (queue active) Dec 9 09:09:58 mail amavis[21908]: (21908-11) ESMTP::10024 /var/amavis/amavis-20051209T083744-21908: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Received: SIZE=1843 BODY=8BITMIME from mail.nicomtech.com ([127.0.0.1]) by localhost (mail.nicomtech.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 21908-11 for <[EMAIL PROTECTED]>; Fri, 9 Dec 2005 09:09:58 -0500 (EST) Dec 9 09:09:58 mail amavis[21908]: (21908-11) Checking: HimjULlTa8qP [209.191.68.143] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]> Dec 9 09:09:58 mail amavis[21908]: (21908-11) p003 1 Content-Type: multipart/alternative Dec 9 09:09:58 mail amavis[21908]: (21908-11) p001 1/1 Content-Type: text/plain, size: 144 B, name: Dec 9 09:09:58 mail amavis[21908]: (21908-11) p002 1/2 Content-Type: text/html, size: 333 B, name: Dec 9 09:09:58 mail postfix/smtpd[22732]: disconnect from web34609.mail.mud.yahoo.com[209.191.68.143] Dec 9 09:09:58 mail amavis[21908]: (21908-11) SPAM-TAG, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, No, score=0.263 tagged_above=-999 required=6 tests=[AWL=-0.028, HTML_60_70=0.29, HTML_MESSAGE=0.001] Dec 9 09:09:58 mail postfix/smtpd[23199]: connect from localhost.localdomain[127.0.0.1] Dec 9 09:09:58 mail postfix/smtpd[23199]: B404DFE8587: client=localhost.localdomain[127.0.0.1] Dec 9 09:09:58 mail postfix/cleanup[23193]: B404DFE8587: message-id=<[EMAIL PROTECTED]> Dec 9 09:09:58 mail postfix/qmgr[2502]: B404DFE8587: from=<[EMAIL PROTECTED]>, size=2460, nrcpt=1 (queue active) Dec 9 09:09:58 mail postfix/smtpd[23199]: disconnect from localhost.localdomain[127.0.0.1] Dec 9 09:09:58 mail amavis[21908]: (21908-11) FWD via SMTP: <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, BODY=8BITMIME, 250 2.6.0 Ok, id=21908-11, from MTA([127.0.0.1]:10025): 250 Ok: queued as B404DFE8587 Dec 9 09:09:58 mail postfix/local[23662]: B404DFE8587: to=<[EMAIL PROTECTED]>, relay=local, delay=0, status=sent (delivered to mailbox) 
Dec  9 09:09:58 mail postfix/qmgr[2502]: B404DFE8587: removed
Dec 9 09:09:58 mail amavis[21908]: (21908-11) Passed CLEAN, [209.191.68.143] [64.9.81.2] <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, mail_id: HimjULlTa8qP, Hits: 0.263, 258 ms Dec 9 09:09:58 mail amavis[21908]: (21908-11) TIMING [total 264 ms] - SMTP EHLO: 3 (1%)1, SMTP pre-MAIL: 1 (0%)2, lookup_sql: 4 (2%)3, SMTP pre-DATA-flush: 2 (1%)4, SMTP DATA: 34 (13%)17, body_digest: 1 (0%)17, gen_mail_id: 0 (0%)17, mime_decode: 21 (8%)25, get-file-type2: 17 (6%)32, decompose_part: 1 (0%)32, decompose_part: 0 (0%)32, parts_decode: 0 (0%)32, AV-scan-1: 9 (4%)36, lookup_sql: 3 (1%)37, lookup_sql: 1 (1%)38, spam-wb-list: 2 (1%)38, SA msg read: 1 (0%)38, SA parse: 3 (1%)39, SA check: 80 (30%)70, update_cache: 1 (1%)70, deal_with_mail_size: 1 (0%)71, fwd-connect: 8 (3%)73, fwd-mail-from: 1 (1%)74, fwd-rcpt-to: 2 (1%)75, write-header: 2 (1%)75, fwd-data: 1 (0%)76, fwd-data-end: 45 (17%)93, fwd-rundown: 2 (1%)93, main_log_entry: 14 (5%)99, update_snmp: 2 (1%)99, unlink-2-files: 1 (1%)100, rundown: 0 (0%)100 Dec 9 09:09:58 mail postfix/smtp[23541]: 2854CFE8585: to=<[EMAIL PROTECTED]>, relay=127.0.0.1[127.0.0.1], delay=1, status=sent (250 2.6.0 Ok, id=21908-11, from MTA([127.0.0.1]:10025): 250 Ok: queued as B404DFE8587) 
Dec  9 09:09:58 mail postfix/qmgr[2502]: 2854CFE8585: removed



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/

Reply via email to