This is a very nice example and I think it needs to be mentioned in a doc, or at least a wiki :)
--Chris >-----Original Message----- >From: Gary Smith [mailto:[EMAIL PROTECTED] >Sent: Thursday, July 15, 2004 1:18 PM >To: Spam Admin; [EMAIL PROTECTED] >Subject: RE: Bayes Bit Me > > >It's common... The short answer is yes, copy bayes_* over, >and restart. >We have a job that does this every so often to our offsite cluster. > >Actually, we do this on 6 machines. We take the bayes db files one of >our load balanced nodes and copy it to a bunch of different >servers. We >have a single one that we use as a primary so we can manually feed it >daily. > >Gary Wayne Smith > >-----Original Message----- >From: Spam Admin [mailto:[EMAIL PROTECTED] >Sent: Thursday, July 15, 2004 10:14 AM >To: [EMAIL PROTECTED] >Subject: Bayes Bit Me > >I have a dual SA system, two different severs running >identical configs. >As noted in prior posts, by primary MX box takes cares of the majority >of the load, but my secondary box still gets hits from spammers trying >to bypass spam filtering (expecting, I suppose, a lower level of >protection. That'll show 'em.) > >I've never had to use the secondary box until yesterday afternoon, when >a clumsy co-worker accidentally pulled out the NIC cable on my primary >box. He didn't notice the transgression and for about 30-45 minutes my >secondary box picked up the slack. When I found out about the failure >and fixed it, I looked at the logs of the secondary box to see how well >it worked and noticed a CRAPLOAD of diversions to my quarantine email >account. > >As I reviewed the quarantined emails (hundreds of them) the one thing >that stuck out was a BAYES_99 rule slap. Then it hit me: that secondary >box pretty much gets nothing but spam, so it's cynical view of >the world >is that almost all email is spam. Thus, a lot of "good" email was >slapped with BAYES_99 and quarantined; I got hundreds of false >positives. Once the primary box came back up the problem went away and >everything was back to normal. I turned off Bayes on the secondary box >for now, but I need a longer-term solution. > >I know you're going to tell me to feed email to Bayes to train it, but >that's a problem: I'm using the SA boxes as spam-filtering relays to my >internal GroupWise system. I've yet to figure out a way to get >the email >back to the box for learning. The other option I'm considering is >copying the Bayes database from the primary to the secondary >server, but >I'm not quite sure how to do that. Do I simply copy over the bayes_* >files and restart? > >Worst case, I'll leave off the Bayes autolearn on the secondary and >continue relying on blacklists for the time being... > >Thanks, > >Greg Amy > > >
