Re: Increase spamassassin bayes99 score
>> > > If you are using Postfix, the following smtpd_recipient_restrictions work > well for us. Note that you need to install policy-spf-python before you can > use the last directive.: > > smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, > reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, > reject_unknown_sender_domain, reject_non_fqdn_recipient, reject _unknown_recipient_domain, check_policy_service unix:private/policy-spf great stuffs I used reject_unknown_recipient_domain before. Now I do NOT use it. > policy-spf-python in Ubuntu is installed as follows: > > sudo apt-get install postfix-policyd-spf-python > > Then in your postfix master.cf you add the following: > > # PYTHON SPF POLICY BELOW THIS LINE. ENABLE IF YOU WISH TO USE > policy-spf unix - n n - - spawn > user=nobody argv=/usr/bin/policyd-spf > # === PYTHON SPF POLICY ABOVE THIS LINE === > > > I'm also guessing you are using postscreen > >> >> > Here is a blocked spamas an example: >> > >> > X-Spam-Status: Yes, score=8.308 tag=-999 tag2=5.5 kill=7.5 >> >> Did you receive this mail since score = 8.3? >> >> Pls set final_spam_destiny to D_DISCARD in this way. >> >> >> $final_spam_destiny = D_DISCARD; >> >> It is worth to have below 2 lines to D_DISCARD as well. >> >> $final_virus_destiny = D_DISCARD; >> $final_banned_destiny = D_DISCARD; >> > > I would like to add that you should NEVER block your customers email. You > don't have to pass them to their mailbox necessarily but you should dump them > to a quarantine directory and release if needed. I have seen many situation > where the system has marked a message as spam or a virus for that matter even > though it was not and your customers are looking for that e-mail so you don't > want to be that guy. You accomplish that like as follows in your amavis conf > file: > > $virus_quarantine_method = 'local:virus/%m'; > $spam_quarantine_method = 'local:spam/%m'; I do not use above 2 lines. I think it is set to default since I can release quarantine mail with amavisd-release command. > $banned_files_quarantine_method = 'local:banned/%m'; I think the above is also a default setting. > $bad_header_quarantine_method = 'local:bad_header/%m'; yes, I use the above line due to this line $bad_header_quarantine_method = undef; I use below 2 lines to release mails $bad_header_quarantine_method = 'local:badh-%m'; $bad_header_quarantine_to = 'bad-header-quarantine'; anyway, having those settings OK too. good source https://www.mail-archive.com/amavis-user@lists.sourceforge.net/msg04356.html >> > >> >score BAYES_99 4.5 # was 3.5 >> >score BAYES_999 2.0 # was 0.2 >> >> I do NOT conceder the above stuffs so much. I go with defaults. >> > > I agree with above. Keeping with defaults is usually best. You should > concentrate on doing everything else before you start messing around with the > scores. > > > > -- > > Hermes Secure Email Gateway > Hermes Secure Email Gateway combines Open Source technologies such as > Postfix, Apache SpamAssassin, ClamAV, Amavisd-new, MySQL and CipherMail under > one unified web based Web GUI for easy administration and management of your > incoming and ougoing email for your organization. Anti-spam, anti-virus and > anti-malware protection, encrypted S/MIME, encrypted PDF and SMTP TLS > support, built-in email archiving, end-user self-service web gui. > > Download the free open-source appliance at: > http://www.deeztek.com/hermes-secure-email-gateway/ > > > -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
RE: Increase spamassassin bayes99 score
> > reject_unknown_client_hostname (with Postfix < 2.3: > reject_unknown_client)Reject the request when 1) the client IP > address->name mapping fails, 2) the name->address mapping fails, or 3) > the name->address mapping does not match the client IP address. > This is a stronger restriction than the > reject_unknown_reverse_client_hostname feature, which triggers only > under condition 1) above. > The unknown_client_reject_code parameter specifies the response code for > rejected requests (default: 450). The reply is always 450 in case the address- > >name or name->address lookup failed due to a temporary problem. > If you are using Postfix, the following smtpd_recipient_restrictions work well for us. Note that you need to install policy-spf-python before you can use the last directive.: smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_policy_service unix:private/policy-spf policy-spf-python in Ubuntu is installed as follows: sudo apt-get install postfix-policyd-spf-python Then in your postfix master.cf you add the following: # PYTHON SPF POLICY BELOW THIS LINE. ENABLE IF YOU WISH TO USE policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf # === PYTHON SPF POLICY ABOVE THIS LINE === I'm also guessing you are using postscreen > > > Here is a blocked spamas an example: > > > > X-Spam-Status: Yes, score=8.308 tag=-999 tag2=5.5 kill=7.5 > > Did you receive this mail since score = 8.3? > > Pls set final_spam_destiny to D_DISCARD in this way. > > > $final_spam_destiny = D_DISCARD; > > It is worth to have below 2 lines to D_DISCARD as well. > > $final_virus_destiny = D_DISCARD; > $final_banned_destiny = D_DISCARD; > I would like to add that you should NEVER block your customers email. You don't have to pass them to their mailbox necessarily but you should dump them to a quarantine directory and release if needed. I have seen many situation where the system has marked a message as spam or a virus for that matter even though it was not and your customers are looking for that e-mail so you don't want to be that guy. You accomplish that like as follows in your amavis conf file: $QUARANTINEDIR = "/path/to/quarantine/directory"; $virus_quarantine_method = 'local:virus/%m'; $spam_quarantine_method = 'local:spam/%m'; $banned_files_quarantine_method = 'local:banned/%m'; $bad_header_quarantine_method = 'local:bad_header/%m'; > > > >score BAYES_99 4.5 # was 3.5 > >score BAYES_999 2.0 # was 0.2 > > I do NOT conceder the above stuffs so much. I go with defaults. > I agree with above. Keeping with defaults is usually best. You should concentrate on doing everything else before you start messing around with the scores. -- Hermes Secure Email Gateway Hermes Secure Email Gateway combines Open Source technologies such as Postfix, Apache SpamAssassin, ClamAV, Amavisd-new, MySQL and CipherMail under one unified web based Web GUI for easy administration and management of your incoming and ougoing email for your organization. Anti-spam, anti-virus and anti-malware protection, encrypted S/MIME, encrypted PDF and SMTP TLS support, built-in email archiving, end-user self-service web gui. Download the free open-source appliance at: http://www.deeztek.com/hermes-secure-email-gateway/
Re: Increase spamassassin bayes99 score
> > I have: > >$sa_tag2_level_deflt = 5.5; # add 'spam detected' headers at that >level >$sa_kill_level_deflt = 7.5; # triggers spam evasive actions (e.g. >blocks mail) I think it is quite high. Pls see my config ( 3.5 and 3.8 ) $sa_tag_level_deflt = undef; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 3.5; # add 'spam detected' headers at that level $sa_kill_level_deflt = 3.8; > We do use RBLs at the SMTP level, greylisting, RBLs with spamassassin, but > still we have been getting a lot of spam. Do you use postfix? then, you can have below in mail.cf under smtpd_recipient_restrictions. Anyway Be VERY careful since it REJECTS mails. reject_unknown_client_hostname, from - http://www.postfix.org/postconf.5.html reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client)Reject the request when 1) the client IP address->name mapping fails, 2) the name->address mapping fails, or 3) the name->address mapping does not match the client IP address. This is a stronger restriction than the reject_unknown_reverse_client_hostname feature, which triggers only under condition 1) above. The unknown_client_reject_code parameter specifies the response code for rejected requests (default: 450). The reply is always 450 in case the address->name or name->address lookup failed due to a temporary problem. > Here is a blocked spamas an example: > > X-Spam-Status: Yes, score=8.308 tag=-999 tag2=5.5 kill=7.5 Did you receive this mail since score = 8.3? Pls set final_spam_destiny to D_DISCARD in this way. $final_spam_destiny = D_DISCARD; It is worth to have below 2 lines to D_DISCARD as well. $final_virus_destiny = D_DISCARD; $final_banned_destiny = D_DISCARD; > tests=[BAYES_99=3.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, > HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, > RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, > RAZOR2_CHECK=0.922, RP_MATCHES_RCVD=-1.509, SPF_HELO_PASS=-0.1, > SPF_PASS=-0.1, SUBJ_ALL_CAPS=1.506, URIBL_BLACK=1.7, > URIBL_RED=0.001] > autolearn=disabled > > I decided to configure: > >score BAYES_99 4.5 # was 3.5 >score BAYES_999 2.0 # was 0.2 I do NOT conceder the above stuffs so much. I go with defaults. anyway, keep on monitoring mail log and add spam assassin rules to quarantine mail. if you need help, you may write to the mailing list. > because I noticed a lot of spam was correctly identified using BAYES_99 and > BAYES_999, but was not getting blocked due to low scoring. > > I have been monitoring spam and I think that I have a lot more blocks and > thereare no false positives at this point. > > Any ideas and suggestions will be greatly appreciated! > > Thanks (Efharisto!) again, > Nick > > > On 14/10/2016 3:06 μμ, Dino Edwards wrote: > >> Yasou NiKo, >> >> There are a few things that might be going on here. What is the average >> score of the ham e-mails that you are getting through. The reason I’m asking >> is can you possibly bring down your required=5.5 score? Every installation >> is different but our required= score is set to 3.6 and that seems to work >> very well. The required = score would be set in your amavis config file as >> follows (the parameter below is probably how it’s set in your amavis): >> >> $sa_tag2_level_deflt = 3.6; >> >> If your spam filter is trained properly, you should be able to bring that >> score down and not have to worry about false positives. Alternatively, if >> you really want to raise the bayes_99 score you would set it in >> /etc/spamasassain/local.cf as follows: >> >> #override bayes default scores >> >> score BAYES_99 5 >> >> But, in the grand scheme of things, your spamfilter is your very last line >> of defense against spam. Are you doing all you can to prevent spam from ever >> reaching your spam filter? Things like RBL blocking on the MTA level, >> graylisting etc? >> > > -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: Increase spamassassin bayes99 score
Thank you Dino and Kai, I have: $sa_tag2_level_deflt = 5.5; # add 'spam detected' headers at that level $sa_kill_level_deflt = 7.5; # triggers spam evasive actions (e.g. blocks mail) We do use RBLs at the SMTP level, greylisting, RBLs with spamassassin, but still we have been getting a lot of spam. Here is a blocked spamas an example: X-Spam-Status: Yes, score=8.308 tag=-999 tag2=5.5 kill=7.5 tests=[BAYES_99=3.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=0.5, RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=0.922, RP_MATCHES_RCVD=-1.509, SPF_HELO_PASS=-0.1, SPF_PASS=-0.1, SUBJ_ALL_CAPS=1.506, URIBL_BLACK=1.7, URIBL_RED=0.001] autolearn=disabled I decided to configure: score BAYES_99 4.5 # was 3.5 score BAYES_999 2.0 # was 0.2 because I noticed a lot of spam was correctly identified using BAYES_99 and BAYES_999, but was not getting blocked due to low scoring. I have been monitoring spam and I think that I have a lot more blocks and thereare no false positives at this point. Any ideas and suggestions will be greatly appreciated! Thanks (Efharisto!) again, Nick On 14/10/2016 3:06 μμ, Dino Edwards wrote: Yasou NiKo, There are a few things that might be going on here. What is the average score of the ham e-mails that you are getting through. The reason I’m asking is can you possibly bring down your required=5.5 score? Every installation is different but our required= score is set to 3.6 and that seems to work very well. The required = score would be set in your amavis config file as follows (the parameter below is probably how it’s set in your amavis): $sa_tag2_level_deflt = 3.6; If your spam filter is trained properly, you should be able to bring that score down and not have to worry about false positives. Alternatively, if you really want to raise the bayes_99 score you would set it in /etc/spamasassain/local.cf as follows: #override bayes default scores score BAYES_99 5 But, in the grand scheme of things, your spamfilter is your very last line of defense against spam. Are you doing all you can to prevent spam from ever reaching your spam filter? Things like RBL blocking on the MTA level, graylisting etc?
RE: Increase spamassassin bayes99 score
Yasou NiKo, There are a few things that might be going on here. What is the average score of the ham e-mails that you are getting through. The reason I’m asking is can you possibly bring down your required=5.5 score? Every installation is different but our required= score is set to 3.6 and that seems to work very well. The required = score would be set in your amavis config file as follows (the parameter below is probably how it’s set in your amavis): $sa_tag2_level_deflt = 3.6; If your spam filter is trained properly, you should be able to bring that score down and not have to worry about false positives. Alternatively, if you really want to raise the bayes_99 score you would set it in /etc/spamasassain/local.cf as follows: #override bayes default scores score BAYES_99 5 But, in the grand scheme of things, your spamfilter is your very last line of defense against spam. Are you doing all you can to prevent spam from ever reaching your spam filter? Things like RBL blocking on the MTA level, graylisting etc? Thanks Dino -- [hermes_logo3] Hermes Secure Email Gateway Hermes Secure Email Gateway combines Open Source technologies such as Postfix, Apache SpamAssassin, ClamAV, Amavisd-new, MySQL and CipherMail under one unified web based Web GUI for easy administration and management of your incoming and ougoing email for your organization. Anti-spam, anti-virus and anti-malware protection, encrypted S/MIME, encrypted PDF and SMTP TLS support, built-in email archiving, end-user self-service web gui. Download the free open-source appliance at: http://www.deeztek.com/hermes-secure-email-gateway/ From: amavis-users [mailto:amavis-users-bounces+dino.edwards=mydirectmail@amavis.org] On Behalf Of Nikolaos Milas Sent: Friday, October 14, 2016 1:24 AM To: amavis-users@amavis.org Subject: Increase spamassassin bayes99 score Hello, After relatively long training of bayes filters, we are consistently getting bayes99 score of 3.5 (on spam mails). It seems this is the max score assigned to bayes99. How/where can we increase this value? Config files are at: /etc/amavisd.conf and at /etc/mail/spamassassin/local.cf Spam mails still get through because a higher total score is needed for them to be auto designated as spam. Here is a typical header of such a mail: X-Spam-Flag: NO X-Spam-Score: 5.153 X-Spam-Level: * X-Spam-Status: No, score=5.153 tagged_above=-999 required=5.5 tests=[BAYES_99=3.5, BAYES_999=0.2, DATE_IN_PAST_12_24=1.049, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, IP_LINK_PLUS=0.012, NML_ADSP_CUSTOM_MED=0.9, NORMAL_HTTP_TO_IP=0.001, RP_MATCHES_RCVD=-0.313, SPF_HELO_PASS=-0.1, SPF_PASS=-0.1] autolearn=disabled How should I best handle the issue? I think that raising max score from 3.5 to e.g. 6.0 might do the trick. Any other options? Some additional data: $ sa-learn --dbpath '/var/amavis/var/.spamassassin' --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 2063 0 non-token data: nspam 0.000 0 1010 0 non-token data: nham 0.000 0 217776 0 non-token data: ntokens 0.000 0 1219096335 0 non-token data: oldest atime 0.000 0 1476418883 0 non-token data: newest atime 0.000 0 1476418900 0 non-token data: last journal sync atime 0.000 0 1471602636 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count Please advise. Thanks in advance, Nick
RE: Increase spamassassin bayes99 score
Put this in your local.cf score BAYES_996.0 Personally I think 6.0 is a bit high. There is significant risk of false positive if one single rule can give enough points to block the message. Are you using network tests (RBL blocklists, etc.)? These are usually very effective. See https://wiki.apache.org/spamassassin/UsingNetworkTests -- kai.ri...@arrak.fi<mailto:kai.ri...@arrak.fi> GSM +358-40-767 8282 Oy Arrak Software Ab http://www.arrak.fi From: amavis-users [mailto:amavis-users-bounces+kai.risku=arrak...@amavis.org] On Behalf Of Nikolaos Milas Sent: Friday, October 14, 2016 8:24 AM To: amavis-users@amavis.org Subject: Increase spamassassin bayes99 score Hello, After relatively long training of bayes filters, we are consistently getting bayes99 score of 3.5 (on spam mails). It seems this is the max score assigned to bayes99. How/where can we increase this value? Config files are at: /etc/amavisd.conf and at /etc/mail/spamassassin/local.cf Spam mails still get through because a higher total score is needed for them to be auto designated as spam. Here is a typical header of such a mail: X-Spam-Flag: NO X-Spam-Score: 5.153 X-Spam-Level: * X-Spam-Status: No, score=5.153 tagged_above=-999 required=5.5 tests=[BAYES_99=3.5, BAYES_999=0.2, DATE_IN_PAST_12_24=1.049, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, IP_LINK_PLUS=0.012, NML_ADSP_CUSTOM_MED=0.9, NORMAL_HTTP_TO_IP=0.001, RP_MATCHES_RCVD=-0.313, SPF_HELO_PASS=-0.1, SPF_PASS=-0.1] autolearn=disabled How should I best handle the issue? I think that raising max score from 3.5 to e.g. 6.0 might do the trick. Any other options? Some additional data: $ sa-learn --dbpath '/var/amavis/var/.spamassassin' --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 2063 0 non-token data: nspam 0.000 0 1010 0 non-token data: nham 0.000 0 217776 0 non-token data: ntokens 0.000 0 1219096335 0 non-token data: oldest atime 0.000 0 1476418883 0 non-token data: newest atime 0.000 0 1476418900 0 non-token data: last journal sync atime 0.000 0 1471602636 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count Please advise. Thanks in advance, Nick
Increase spamassassin bayes99 score
Hello, After relatively long training of bayes filters, we are consistently getting bayes99 score of 3.5 (on spam mails). It seems this is the max score assigned to bayes99. How/where can we increase this value? Config files are at: /etc/amavisd.conf and at /etc/mail/spamassassin/local.cf Spam mails still get through because a higher total score is needed for them to be auto designated as spam. Here is a typical header of such a mail: X-Spam-Flag: NO X-Spam-Score: 5.153 X-Spam-Level: * X-Spam-Status: No, score=5.153 tagged_above=-999 required=5.5 tests=[BAYES_99=3.5, BAYES_999=0.2, DATE_IN_PAST_12_24=1.049, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, IP_LINK_PLUS=0.012, NML_ADSP_CUSTOM_MED=0.9, NORMAL_HTTP_TO_IP=0.001, RP_MATCHES_RCVD=-0.313, SPF_HELO_PASS=-0.1, SPF_PASS=-0.1] autolearn=disabled How should I best handle the issue? I think that raising max score from 3.5 to e.g. 6.0 might do the trick. Any other options? Some additional data: $ sa-learn --dbpath '/var/amavis/var/.spamassassin' --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 2063 0 non-token data: nspam 0.000 0 1010 0 non-token data: nham 0.000 0 217776 0 non-token data: ntokens 0.000 0 1219096335 0 non-token data: oldest atime 0.000 0 1476418883 0 non-token data: newest atime 0.000 0 1476418900 0 non-token data: last journal sync atime 0.000 0 1471602636 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count Please advise. Thanks in advance, Nick