I have a dual SA system, two different severs running identical configs. As noted in prior posts, by primary MX box takes cares of the majority of the load, but my secondary box still gets hits from spammers trying to bypass spam filtering (expecting, I suppose, a lower level of protection. That'll show 'em.)
I've never had to use the secondary box until yesterday afternoon, when a clumsy co-worker accidentally pulled out the NIC cable on my primary box. He didn't notice the transgression and for about 30-45 minutes my secondary box picked up the slack. When I found out about the failure and fixed it, I looked at the logs of the secondary box to see how well it worked and noticed a CRAPLOAD of diversions to my quarantine email account. As I reviewed the quarantined emails (hundreds of them) the one thing that stuck out was a BAYES_99 rule slap. Then it hit me: that secondary box pretty much gets nothing but spam, so it's cynical view of the world is that almost all email is spam. Thus, a lot of "good" email was slapped with BAYES_99 and quarantined; I got hundreds of false positives. Once the primary box came back up the problem went away and everything was back to normal. I turned off Bayes on the secondary box for now, but I need a longer-term solution. I know you're going to tell me to feed email to Bayes to train it, but that's a problem: I'm using the SA boxes as spam-filtering relays to my internal GroupWise system. I've yet to figure out a way to get the email back to the box for learning. The other option I'm considering is copying the Bayes database from the primary to the secondary server, but I'm not quite sure how to do that. Do I simply copy over the bayes_* files and restart? Worst case, I'll leave off the Bayes autolearn on the secondary and continue relying on blacklists for the time being... Thanks, Greg Amy
