Spam sneaking in.

Matus UHLAR - fantomas uhlar at fantomas.sk
Mon Aug 26 15:43:27 CEST 2019 

>> On 16.08.19 13:51, Lambert Rots wrote:
>> >Did you get a solution for the issue about spam sneaking in?  I think I
>> >have the same issue about spam being scored differently between
>> >spamassassin and amavisd-new.

>Op zo 18 aug. 2019 om 11:59 schreef Matus UHLAR - fantomas <
>uhlar at fantomas.sk>:
>> did you also change the DKIM_VERIFIED score to -3?
>> If not, you don't have the same issue.

On 26.08.19 11:22, Lambert Rots wrote:
>Sorry for the delayed response, I was first debugging/fetching logs for a
>few days...
>
>No I did not change the DKIM_VERIFIED score so apparently I have a
>different issue ;-)

>> >It looks like DNS blacklist checks are not scored as most spam is found
>> >on blacklists when parsing the mail through spamassassin but debugging
>> >amavisd-new shows that DNS checks are being performed.
>>
>> this is also a different issue.  Many sites and webs get into blacklist
>> after the spam starte spreading, so first (early) recipients don't see
>> the mail in blacklist, while late recipients or later checks shows
>> blacklists.

>Comparing debug logs between Amavisd-new (debug-sa) and spamassassin
>directly shows that blacklist checks score 0 with NXDOMAIN replies when the
>mail arrives the first time where spamassassin scores +3 with several hits
>on blacklist checks.

this shows early recipient issue. What's the time difference
between amavis and spamassassin checks?
Are there any differences in rules hit than blacklits?

>I just cannot imagine that all spam I receive is early recipient based,

do you reject any spam?

>besides, postfix is already taking care of most blacklist checking.

postfix does only check blacklists on direct sending machine.  SA does deep
header checks, which is why SA blacklist checks have more hits than postfix.

>Most spam mail is coming from the same email domains, share the same
>subject and a lot of other stuff on which amavisd-new should be able to
>identify it as spam. Bayes scores some mail but not all.

train what you can. bayes training is one the best antispam tools available.

>Spam senders try a lot to bypass anti spam but in my opinion amavisd-new
>should be able to do better than marking less than 1 percent of spam mail
>as spam.

what does ~amavis/.spamassassin contain?
what does /etc/amavis/conf.d/ contain?

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?

More information about the amavis-users mailing list