> -----Original Message----- > From: [EMAIL PROTECTED] > Sent: Wednesday, January 11, 2006 6:51 AM > > I'm fed up with SA ! > Spam gets through no matter what i do :-( > and ham is blocked.... (well not all ham, but even one is > sometimes too much)
Unfortunately, this is the nature of the beast. "False positives", where ham is classified as spam, are the worst, but do occur. Similarly some spam gets through. You can improve the situation by taking various steps such as: (1) raising the spam threshold, (2) implementing manual whitelists and blacklists, (3) using various black list name servers, (4) Adding custom rules such as those at http://www.rulesemporium.com/index.html, and (5) greylisting. Personally, I don't like tweaking the overall spam threshold as mentioned in (1), above, but prefer to decrease the score on certain rules that seem to trigger false positives, and to increase the score for rules that seem good at detecting spam. I've also strayed away from using Bayes, because I found it difficult to maintain and manage and have had decent luck using the other techniques. One thing that can be done when you initially set up Spamassassin is to make sure you have trusted_networks set correctly and then add a bunch of whitelist_from_rcvd rules for hosts that send promotional literature that you want to accept, so it won't get scored as spam. You can also ask your boss, the CEO, and executive staff to go through their inboxes and give you a list of from addresses of customers and friends that they want to accept mail from and add those to your SA whitelist rules. This is a bit ad hoc, but increases the chances that SA performs well (at least at first. <g>) and ensures that much of the important mail will make it through. There might be better, more elaborate, mechanisms that can be applied, but for a small system, this sort of "personal touch" approach is manageable. Whatever changes you make, do them incrementally. Make sure they're having the desired effect before moving on to the next one. Also, _always_ remember to restart the various demons involved (ie mimedefang and/or sendmail), after making changes. As others have mentioned, if you want something quicker, turnkey, with support try CanIT: http://www.roaringpenguin.com/ > My boss got MAD because he was expacting a mail from some > client...so i checked > the logs...mail.log ofcourse, i saw the usual from=<bla>...Milter > add: header: > X-Scanned-By: MIMEDefang 2.54 on x.x.x.x , to=<bla> stat=Sent > BUT the mail was gone!! nowhere to be found!! > not in the mailbox (/var/spool/mail/Xbox) not in spamdrop nowhere!! You'll need to provide us with the mail log entries if you want help on that. Suffice it to say it is highly unlikely that the mail was dropped. It is more likely that a follow-on delivery/filtering program such as procmail refiled the mail somwewhere you're not looking. It is also possible that Mimedefang quarrantined the mail for some reason. By looking at all the log messages you should be able to clear that up. > i going crazy! > so i whitelisted the origin domain and it worked...i started getting the > emails... > What am i doing wrong???!!!??? It isn't bad to whitelist important domains, but try doing it using trusted_networks and whitelist_from_rcvd, to avoid spoofing. What is bad is not first understanding the cause of the problem (lost mail) before shooting from the hip to "fix" it. When some other domain comes in, and has its mail "lost", you're still at square one on that one. > > Details (i know you want them...): > OS: debian serge 3.1a > Sendmail 8.13.4 + mimedefang 2.54 + SA 3.0.3 + clamav > > What else? did i forget anything? If you want help, you'd need to provide: 1. all log entries for the problem mail (hint: grep on the mail queue id) and submit them here. 2. provide your mimedefang-filter either as an attachment or via URL. 3. provide the output of 'mimedefang.pl -features' as an attachment or via URL. 4. provide your sendmail.mc file either as an attachment of via URL. 5. you need to understand if you're using procmail for mail delivery and if it has any default or custom filters in place. If you are using procmail, consider turning on logging (LOGABSTRACT=on) for each user, at least for now, but keep in mind the logfiles will keep growing, so you'll need a method to trim them back, if you keep logging turned on. 6. you should disable spamd if it is enabled 7. you should understand if you have other 'milters' (such as spamass-milter) installed and enabled that may be interacting with Mimedefang and disable them. > From: [EMAIL PROTECTED] > Sent: Thursday, January 12, 2006 1:55 AM > > I have upgraded to SA 3.1 but i get strange actions... I would _not_ have upgraded SA until I understood what problems I expected it to fix. You've just introduced new variables. BTW, as you upgrade to newer versions of SA (and Mimedefang) you increase the need to make sure that you have the latest versions of the Perl interpreter and related packages, because there may be unknown hidden dependencies. > I think that the SA is now checked before mimedefang filters and > skips other > filters...(but i'm not 100% sure about that? how can check?) > If SA is checked before Mimedefang, it can likely only be because you inadvertently installed other "milters", such as spamass-milter. Given the problems you're seeing, the only way you can get help here is to post a few representative mail log sequences (by grep-ing on the queue id), and by posting your mimedefang-filter, and other info. mentioned above, either as an attachment, or via a URL, so that others can review it. > I stop about 1000 spam mail per day and get about 3000 legit mail per > day (some of it SPAM!!). You're doing better than the rest of us ... we generally see 2x more spam messages than ham. I would guess that our false positive rate (ham misclassified as spam) is less than 0.1%, and false negative rate (spam misclassified as ham) is roughly 0.3%. We think that is about as good as it is going to get. We find that most of the false positives are glitzy marketing mail, so don't sweat that too much. Still, 0.1% is 1 in a 1000, which means that it will occasionally have a negative impact. > I noticed another very anoing problem that I posted before but could NOT > resolved it here...which is GOOD email with spam score less then > 5 end-up in > spamdrop instead of delivered to user mailbox!!!!! > and checking the headers it says: > [quote] > X-Spam-Status: No, score=3.1 required=5.0 tests=DATE_IN_FUTURE_96_XX, > MSGID_FROM_MTA_ID autolearn=no version=3.0.3 > [end quote] > this was from the spamdrop mailbox!! why is it there is the > spam-status is NO > ??? Based upon what you've said, it sounds like you may have a follow-on filter program such as procmail that is mishandling or misfiling the mail. Which program actually delivers mail to "spamdrop"? It likely is _not_ Mimedefang. It very likely is procmail, or a similar mail filtering program. > > HELP!!! You'll need to provide more (specific) info. _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
