I'm not sure about your specific environment, but in my experience the things that helped me the most in blocking spam are:
- enable network tests - enable the URIDNSBL plugin (init.pre) - using sa-update with the spamassassin and SARE rule sets. The SARE rules helped the most with stock quote spams. I have most of the other plugins running, as well as having installed Pyzor and FuzzyOCR. I'm pretty happy so far! The one thing I would want is better spam processing performance. If a huge wash of spam hits the server, the server load goes up to 2 or 3 (shouldn't happen on a dual-core 3.2GHz receiving as little mail as we do). Here is the output from the sa-stats program (<http://www.rulesemporium.com/programs/sa-stats-1.0.txt>) from my server for the past 24 hours: Email: 5034 Autolearn: 417 AvgScore: 12.18 AvgScanTime: 6.02 sec Spam: 3518 Autolearn: 341 AvgScore: 18.24 AvgScanTime: 6.11 sec Ham: 1516 Autolearn: 76 AvgScore: -1.89 AvgScanTime: 5.79 sec Time Spent Running SA: 8.41 hours Time Spent Processing Spam: 5.97 hours Time Spent Processing Ham: 2.44 hours TOP SPAM RULES FIRED ---------------------------------------------------------------------- RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM ---------------------------------------------------------------------- 1 HTML_MESSAGE 2796 69.47 79.48 46.24 2 URIBL_BLACK 1577 32.20 44.83 2.90 3 RCVD_IN_SORBS_DUL 1530 30.91 43.49 1.72 4 URIBL_JP_SURBL 1389 27.59 39.48 0.00 5 RCVD_IN_NJABL_DUL 1387 28.01 39.43 1.52 6 MY_CID_AND_STYLE 1362 27.10 38.72 0.13 7 SARE_GIF_ATTACH 1335 27.55 37.95 3.43 8 EXTRA_MPART_TYPE 1229 24.89 34.93 1.58 9 TVD_FW_GRAPHIC_ID1 1201 23.86 34.14 0.00 10 PART_CID_STOCK 1197 23.78 34.03 0.00 11 MY_CID_ARIAL_STYLE 1141 22.67 32.43 0.00 12 MY_CID_AND_ARIAL2 1141 22.69 32.43 0.07 13 URIBL_OB_SURBL 1027 20.44 29.19 0.13 14 MIME_HTML_ONLY 1004 22.77 28.54 9.37 15 SARE_GIF_STOX 963 19.19 27.37 0.20 16 URIBL_SC_SURBL 937 18.63 26.63 0.07 17 HTML_IMAGE_ONLY_28 827 16.71 23.51 0.92 18 URIBL_WS_SURBL 806 16.29 22.91 0.92 19 URIBL_SBL 793 15.85 22.54 0.33 20 PART_CID_STOCK_LESS 681 13.53 19.36 0.00 ---------------------------------------------------------------------- TOP HAM RULES FIRED ---------------------------------------------------------------------- RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM ---------------------------------------------------------------------- 1 HTML_MESSAGE 701 69.47 79.48 46.24 2 NO_REAL_NAME 665 14.88 2.39 43.87 3 MIME_HTML_ONLY 142 22.77 28.54 9.37 4 BAYES_00 130 2.74 0.23 8.58 5 AWL 128 3.06 0.74 8.44 6 HTML_FONT_BIG 128 9.24 9.58 8.44 7 SPF_HELO_PASS 59 4.59 4.89 3.89 8 HTML_IMAGE_RATIO_02 53 2.82 2.53 3.50 9 SARE_UNI 52 1.23 0.28 3.43 10 SARE_GIF_ATTACH 52 27.55 37.95 3.43 11 INFO_TLD 50 3.08 2.98 3.30 12 HTML_TAG_EXIST_TBODY 45 1.15 0.37 2.97 13 URIBL_BLACK 44 32.20 44.83 2.90 14 MISSING_HB_SEP 41 1.61 1.14 2.70 15 USER_IN_WHITELIST 35 0.70 0.00 2.31 16 UNPARSEABLE_RELAY 35 3.32 3.75 2.31 17 EMPTY_MESSAGE 32 1.13 0.71 2.11 18 FORGED_RCVD_HELO 27 3.95 4.89 1.78 19 RCVD_IN_SORBS_DUL 26 30.91 43.49 1.72 20 BAYES_50 26 0.87 0.51 1.72 ---------------------------------------------------------------------- Quinn On Mon, 13 Nov 2006 15:24:55 -0600, Ryan Gibbons wrote: > My server (not just my domain) is getting hit hard with spam related to > stock quotes. It is plan text, no links no html, and of course the > envlope changes each time. I have go through with sa-learn and try to > mark them individually but they are still getting through, some are even > being learned as ham b/c they are generated a score of over -3, (*note > to self, I might want to bump that up) and very few are being marked > anything lower then 3. On overage, it is coming across as zero. > > Thunderbird sees it has spam, so it is possible to catch these, I just > don't know enough about spamassassin to create a rule set to catch it. > I use rules de jour and moderate RBL block list. > > Anybody have any hits, If you want to see the message, let me know and I > can put it up here. --------------------------------------------------------------------- QmailToaster hosted by: VR Hosted <http://www.vr.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
