I've been running SA for about 2 months now, working really well (for the
most part) We do have a resources@ mailbox that I took a look at today
and
low and behold of the 2018 messages only 15 or so were legit, why would
that
one account get hammered so much more than all others?
Could be any number of reasons. resources@ could be targeted by one of those
viruses that send to specific defined addresses. Being a common word, and
human resources is a common department in medium-sized and up companies,
it's probably prone to dictionary attacks. The email address in question
could be published on a website, newsletter archive, or usenet posting (just
do a Google search for the address - it's a good bet that if it's in Google,
then every spammer in the world has it).
If you're using Bayes, feed the spam and ham to it so that it knows what to
look for for this user (though you'd need a lot more ham to make it
effective, or for that matter for the Bayesian filtering to even be applied
with the default 200 message threshold). Maybe set required_hits lower for
this account, depending on how the legit messages scored. Depending on your
mail setup, make sure that mail sent to resources@ on other domains on the
box doesn't get funnelled into this one account.
But, you'll probably always be fighting an uphill battle to keep an
already-tainted box clean. Better to just change the account name and/or
email address and start from scratch, and make sure it stays clean.
