>We're trying to replace a Windows anti-spam on the mailbox servers
>with amavisd/sa/clam on the front-end mx.
>
>We are running in tandem both now in the amavis/sa/clam testing phase.
>
>The backend mail content-scanner is still catching too many true
>spams that get past amavis.
>
>We uploaded the spams caught by backend to the mx and ran them
>through spamc, with these results:
>
>70524039.eml 6.8/5.0
>70524110.eml 2.2/5.0
>70524179.eml -0.8/5.0
>70524467.eml 0.6/5.0
>70524539.eml 4.4/5.0
>70524823.eml 5.3/5.0
>70524975.eml 0.7/5.0
>70525118.eml 0.0/5.0
>70525193.eml 0.3/5.0
>70525194.eml 0.3/5.0
>70525195.eml 0.3/5.0
>70525196.eml 0.3/5.0
>70525268.eml 0.6/5.0
>70525555.eml 0.6/5.0
>70526054.eml 1.1/5.0
>70526278.eml -6.9/5.0
>70526349.eml 5.1/5.0
>70526350.eml 5.1/5.0
>70526355.eml 6.2/5.0
>70526504.eml -1.5/5.0
>70526736.eml 2.5/5.0
>70526806.eml 0.6/5.0
>70526878.eml 7.0/5.0
>70526948.eml -4.7/5.0
>70527201.eml -4.0/5.0
>70527759.eml 1.7/5.0
>70527851.eml 13.9/5.0
>70527853.eml 6.6/5.0
>70527857.eml 6.6/5.0
>70527859.eml 1.7/5.0
>70527964.eml 4.0/5.0
>70528139.eml 0.3/5.0
>70528238.eml -2.6/5.0
>70528410.eml 2.5/5.0
>70528676.eml 1.8/5.0
>70528770.eml 3.2/5.0
>70528867.eml -0.8/5.0
>70528947.eml -2.6/5.0
>70529227.eml 4.3/5.0
>70529503.eml -0.2/5.0
>70529506.eml -0.2/5.0
>70529588.eml 0.0/5.0
>70529687.eml 4.7/5.0
>70529695.eml 0.0/5.0
>70529768.eml 2.8/5.0
>70529775.eml -8.0/5.0
>70529866.eml 1.9/5.0
>70529956.eml 4.3/5.0
>70530039.eml 2.0/5.0
>70530206.eml 3.5/5.0
>70530469.eml 0.0/5.0
>70530670.eml 6.1/5.0
>70530671.eml 6.1/5.0
>70530746.eml 0.2/5.0
>70530840.eml 0.0/5.0
>
>All of the above files are below the default 400KB amavis max file
>limit to send to sa, so they should be not skipped past sa.
>
>how do the *.eml's with 5+ score on just the body (excluding tests on
>the sending IP) getting through amavis/sa?
>
>our sa rulesets:
>
>mx1# ll /usr/local/etc/mail/spamassassin/
>total 318
>-rw-r--r-- 1 root wheel 22546 Jun 24 2005 backhair.cf
>-rw-r--r-- 1 root wheel 23422 Jun 24 2005 chickenpox.cf
>-rw-r--r-- 1 root wheel 1300 Jul 24 13:49 init.pre
>-rw-r--r-- 1 root wheel 1300 Dec 1 2007 init.pre.sample
>-rw-r--r-- 1 root wheel 1728 Jul 27 13:13 local.cf
>-rw-r--r-- 1 root wheel 1208 Dec 1 2007 local.cf.sample
>-rw-r--r-- 1 root wheel 224996 Jul 25 13:57 malwareblocklist.cf
>drwx------ 2 root wheel 512 Jul 24 14:05 sa-update-keys
>-rw-r--r-- 1 root wheel 2603 Jul 24 13:49 v310.pre
>-rw-r--r-- 1 root wheel 2603 Dec 1 2007 v310.pre.sample
>-rw-r--r-- 1 root wheel 1195 Jul 24 13:49 v312.pre
>-rw-r--r-- 1 root wheel 1195 Dec 1 2007 v312.pre.sample
>-rw-r--r-- 1 root wheel 2416 Jul 24 13:49 v320.pre
>-rw-r--r-- 1 root wheel 2416 Dec 1 2007 v320.pre.sample
>
>Any suggestions for other rulesets?
>
>thanks
>Len
==============
here's an example of a true positive msg caught by the backed after
amavis passed is as clean:
"spamc -c" says against the DATA body checks out as:
70537530.eml 10.3/5.0
but in the 70537530.eml file:
X-Spam-Score: -2.27
X-Spam-Level:
X-Spam-Status: No, score=-2.27 tagged_above=-20 required=5 tests=[AWL=-1.556,
BAYES_50=0.001, HABEAS_ACCREDITED_SOI=-4.3, HTML_IMAGE_RATIO_04=0.172,
HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, URIBL_BLACK=1.955]
so amavis correctly decided "Passed CLEAN" for -2.27, but the 12+
discrepancy between spamc and amavis scores"
Len
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
