Re: Is BAYES filtering working? Having doubts.

Mon, 28 Dec 2015 13:58:45 -0800 

On Mon, 28 Dec 2015, Peter L. Berghold wrote:


On Mon, Dec 28, 2015 at 11:38:17AM -0800, John Hardin wrote:


* you haven't also been training ham. Bayes needs sufficient examples of
  both to be able to make a judgement.


Oh yes, been training ham too.


Good.


* you're somehow mistraining Bayes, for example by allowing untrustworthy
  users to directly feed the training corpora.


I am training through the root user.  Maybe I shouldn't be doing that?


Maybe. Too soon to tell.


Some questions:

What does "sa-learn --dump magic" report?


Here:
# sa-learn --dump magic
0.000          0          3          0  non-token data: bayes db version
0.000          0       7026          0  non-token data: nspam
0.000          0       1196          0  non-token data: nham



Okay, you have enough of both ham and spam (in that database) for Bayes to 
score messages.



Are there any BAYES rules hits at all? Spams getting BAYES_00 is a
different problem than spams getting BAYES_50 or getting no BAYES
rule hits at all.


Some things *are* being flagged as spam.


"flagged as spam" isn't the question I asked. Let me re-ask:


(1) Are you seeing any BAYES_## rule hits at all, on any messages, spam 
or ham?


(2) What, if any, BAYES_## rule hits are you seeing on the persistent FNs?

(see below)


Just these very persistent cases that are driving me nuts.


What user is spamd (or however your MTA is using SA) running under?


I have postfix using amavisd which feeds clamav and spamd and then
reinjects messages if they are OK or quarrantines virused emails and deletes
spam.


OK.


What user are you running sa-learn as?


root



OK. I suspect the problem is that amavis is not seeing your trained bayes 
database, and that you should be training as user amavisd rather than as 
user root. However, I don't use amavis so I cannot say for sure that is 
the cause.



You might try running "sa-learn --dump magic" as user amavisd and see what 
it says...



Here's a sample header --

Return-Path: 
<bounce-mc.us7_20122743.281665-peter=berghold....@mail176.atl61.mcsv.net>
X-Original-To: pe...@berghold.net
Delivered-To: pe...@berghold.net
Received: from localhost (localhost [127.0.0.1])
        by smtp.berghold.net (Postfix) with ESMTP id DDE531320BFF
        for <pe...@berghold.net>; Mon, 28 Dec 2015 14:30:16 -0500 (EST)
X-Virus-Scanned: Debian amavisd-new at smtp.berghold.net
Received: from smtp.berghold.net ([127.0.0.1])
        by localhost (smtp.berghold.net [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id HF_jGOGEX4sZ for <pe...@berghold.net>;
        Mon, 28 Dec 2015 14:30:12 -0500 (EST)
Received: from mail176.atl61.mcsv.net (mail176.atl61.mcsv.net [205.201.135.176])
        by smtp.berghold.net (Postfix) with ESMTP id 726721320EA0
        for <pe...@berghold.net>; Mon, 28 Dec 2015 14:30:10 -0500 (EST)
Received: from (127.0.0.1) by mail176.atl61.mcsv.net id hg66s6174acv for 
<pe...@berghold.net>; Mon, 28 Dec 2015 19:30:09 +0000 (envelope-from 
<bounce-mc.us7_20122743.281665-peter=berghold....@mail176.atl61.mcsv.net>)
Subject: 
=?utf-8?Q?After=20Christmas=20Sale=21=20=C2=A0Up=20to=2075%=20Off=C2=A0?=
From: =?utf-8?Q?Bootights?= <i...@shelbymason.com>
Reply-To: =?utf-8?Q?Bootights?= <i...@shelbymason.com>
To: =?utf-8?Q?Peter?= <pe...@berghold.net>
Date: Mon, 28 Dec 2015 19:30:09 +0000
Message-ID: 
<0fc2d5ab3baab94a1ec0813155a6d3419fd.20151228192...@mail176.atl61.mcsv.net>
X-Mailer: MailChimp Mailer - **CIDa0ee1b8a005a6d3419fd**
X-Campaign: mailchimp0fc2d5ab3baab94a1ec081315.a0ee1b8a00
X-campaignid: mailchimp0fc2d5ab3baab94a1ec081315.a0ee1b8a00
X-Report-Abuse: Please report abuse for this campaign here: 
http://www.mailchimp.com/abuse/abuse.phtml?u=0fc2d5ab3baab94a1ec081315&id=a0ee1b8a00&e=5a6d3419fd
X-MC-User: 0fc2d5ab3baab94a1ec081315
X-Feedback-ID: 20122743:20122743.281665:us7:mc
List-ID: 0fc2d5ab3baab94a1ec081315mc list 
<0fc2d5ab3baab94a1ec081315.120005.list-id.mcsv.net>
X-Accounttype: pd
List-Unsubscribe: 
<mailto:unsubscribe-mc.us7_0fc2d5ab3baab94a1ec081315.a0ee1b8a00-5a6d341...@mailin1.us2.mcsv.net?subject=unsubscribe>,
 
<http://shelbymason.us7.list-manage.com/unsubscribe?u=0fc2d5ab3baab94a1ec081315&id=b983be40f9&e=5a6d3419fd&c=a0ee1b8a00>
Sender: "Bootights" <info=shelbymason....@mail176.atl61.mcsv.net>
x-mcda: FALSE
Content-Type: multipart/alternative; boundary="_----------=_MCPart_1143067562"
MIME-Version: 1.0
Content-Length: 28920



There are no rule hit details there. I'm going to assume enabling that is 
something you have to do in the amavis config file.



Can you try to find information for that message in the amavis log, that 
might indicate what SA rules hit on it? I don't know whether amavis logs 
that level of detail by default.


--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  If guns kill people, then...
    -- pencils miss spel words.
    -- cars make people drive drunk.
    -- spoons make people fat.
-----------------------------------------------------------------------
 7 days since the first successful real return to launch site (SpaceX)






















					Reply via email to