Spam sneaking in.

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Aug 27 15:09:09 CEST 2019 

On 27.08.19 14:50, Lambert Rots wrote:
>Time difference between amavisd-new and spamassassin checks are +30 minutes.
>
>I don't reject spam, spam is set to be discarded:

>$final_spam_destiny       = D_DISCARD;  #!!!  D_DISCARD / D_REJECT

so, you don't know of spam that gets discarded, and it's quite possible that
much of spam is dropped before you can scan it again using spamassassin,
correct?

that way, it's quite possible that spam that sneaks in, is "early recipient
based", so it would be rejected half hour later.

>~amavis/.spamassissin contains:
>-rw------- 1 amavis amavis   40960 Aug 27 07:45 bayes_seen
>-rw------- 1 amavis amavis 1310720 Aug 27 07:45 bayes_toks
>-rw-r--r-- 1 amavis amavis    1869 Aug 16 13:23 user_prefs

btw, how do you check spam by spamassassin?
for comparing to amavis scores I use

(cd /tmp; su -s /bin/sh -c 'spamassassin -x' amavis) < file | less

>The user_prefs is just a sample file with only commented/blank lines

...so the results aren't flawed due to amavis' user_prefs.

>$ ls -lh /etc/amavisd/
>total 88K
>-rw-r--r-- 1 root root 37K Aug 22 12:22 amavisd.conf
>-rw-r--r-- 1 root root 37K Jul 19 12:32 amavisd.conf.rpmsave
>-rw-r--r-- 1 root root  19 Jul  5  2016 sender_scores_sitewide
>-rw-r--r-- 1 root root  95 Jul 21  2018 whitelist_sender
>
>sender_scores_sitewide contains one specific domain with score -5.0 to
>prevent mail from that domain to be accidentally identified as spam.
>whitelist_sender contains my logwatch sender to prevent my logwatch reports
>to be seen as spam.

I put those into SA's local.cf, this way they get the same score when
checked by SA or by amavis.


>> >Op zo 18 aug. 2019 om 11:59 schreef Matus UHLAR - fantomas <
>> >uhlar at fantomas.sk>:
>> >> this is also a different issue.  Many sites and webs get into blacklist
>> >> after the spam starte spreading, so first (early) recipients don't see
>> >> the mail in blacklist, while late recipients or later checks shows
>> >> blacklists.

>> On 26.08.19 11:22, Lambert Rots wrote:
>> >Comparing debug logs between Amavisd-new (debug-sa) and spamassassin
>> >directly shows that blacklist checks score 0 with NXDOMAIN replies when
>> >the mail arrives the first time where spamassassin scores +3 with
>> >several hits on blacklist checks.

>Op ma 26 aug. 2019 om 15:50 schreef Matus UHLAR - fantomas <
>uhlar at fantomas.sk>:
>> this shows early recipient issue. What's the time difference
>> between amavis and spamassassin checks?
>> Are there any differences in rules hit than blacklits?

>> >I just cannot imagine that all spam I receive is early recipient based,
>>
>> do you reject any spam?
>>
>> >besides, postfix is already taking care of most blacklist checking.
>>
>> postfix does only check blacklists on direct sending machine.  SA does deep
>> header checks, which is why SA blacklist checks have more hits than
>> postfix.
>>
>> >Most spam mail is coming from the same email domains, share the same
>> >subject and a lot of other stuff on which amavisd-new should be able to
>> >identify it as spam. Bayes scores some mail but not all.
>>
>> train what you can. bayes training is one the best antispam tools
>> available.
>>
>> >Spam senders try a lot to bypass anti spam but in my opinion amavisd-new
>> >should be able to do better than marking less than 1 percent of spam mail
>> >as spam.
>>
>> what does ~amavis/.spamassassin contain?
>> what does /etc/amavis/conf.d/ contain?

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)

More information about the amavis-users mailing list