Re: How to reject mails with special message-id (Debian, Amavis, Spamassassin)

Tue, 20 Sep 2016 07:08:10 -0700 

On 9/20/2016 9:46 AM, Thomas Barth wrote:



Am 20.09.2016 um 15:27 schrieb Bowie Bailey:


X-Spam-Status: Yes, score=14.009 tag=2 tag2=6.31 kill=6.31
        tests=[HTML_MESSAGE=0.001, MESSAGEID_LOCAL=8,
MIME_HTML_ONLY=1.105,
        PYZOR_CHECK=1.985, RCVD_IN_BRBL_LASTEXT=1.644, RDNS_NONE=1.274]
        autolearn=no autolearn_force=no


The base SA ruleset is optimized to detect spam with a score of 5.0.  If
you raise that score, you will allow more spam to come through. If you
lower that score, you will see more legitimate messages blocked as

spam.  Make sure you know what you are doing before you change this 
score.





I read that 5.0 is aggressive and suitable for single user setup, 
conservative values are 8.0 or 11.0.


required_score n.nn (default: 5)

https://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Conf.html 




Depends on your situation.  I've been using 5.0 for years in a 
tag-and-deliver setup.  I delete spam messages at a score of 10 - 15 for 
a few users who receive large amounts of spam.



Also, as I said before, remember that SA's required_score setting is 
ignored in an Amavis setup.  You should use Amavis's tag_level, 
tag2_level, and kill_level settings instead.  According to the header 
shown above, you currently appear to be blocking spam at a score of 6.31.



I ve checked most of the mails recognized as spam. The lowest score 
was 8.6x so far.



It is impossible to block all spam.  There will always be some that 
slips through.  The objective of a spam blocker such as SA is to block 
the most spam possible while keeping false positives near zero.  Users 
will complain about a few spam that get through -- they will scream 
about a single important message that gets blocked.



Here is another mail from ...local. It definitely was spam with zip 
attachment. Common is a sender address with digits.
<wynn.54...@allfromboats.com> -> <tba...@txbweb.de>, quarantine: 
l/spam-lEHVGcheLkyq.gz, Message-ID: 
<20160920202635.6b90ec7...@allfromboats.com.local>, mail_id: 
lEHVGcheLkyq, Hits: 19.118



May be I also should block sender adresses with more than 2 digits in 
the name?



VERY bad idea.  Especially if you deal with the general public. There 
are tons and tons of people who have emails like jim...@gmail.com.  You 
might get away with a low scoring rule for messages with 4 or more 
digits, but I would give it a very low score to start with and watch it 
for a week or so to see how many hams vs spams it hits.


--
Bowie






















					Reply via email to