More spam after spamassain upgrade

Stephen Swaney Steve at swaney.com
Thu Jul 24 23:05:12 IST 2003 

This will not be too helpful in solving your problems but it does show
that spam detection is working on some systems.

We're running MailScanner SpamAssassin 2.55 and MailScanner-4.22-5 on a
Red Hat Enterprise 2.1 system that is a spampot. It gets NOTHING but
spam. We have fed a lot of the spam to the Bayesian filter and this has
improved our detection rate a bit.

The spam threshold is set to 5 and High Spam is set to 10. A quick look
at 1/2 days stats:

Processed:            5052    24.6Mb
Spam:                   5022    99.4%
High Scoring Spam:  2737    54.2%

Looks like it's missing .6% of today's junk.

Another interesting static is the average size of a Spam message is
4.869 KB

Steve
Steve at Swaney.com

On Thu, 2003-07-24 at 17:41, John Rudd wrote:

> I'm seeing a similar problem.  My production machines are running v 2.43
> with MailScanner 4.11-1, and got these scores:
>
> X-UCSC-CATS-MailScanner-SpamCheck: spam, SpamAssassin (score=9.3,
> required 8,
>         BIG_FONT, CLICK_BELOW, CLICK_HERE_LINK, CTYPE_JUST_HTML,
>         FORGED_RCVD_FOUND, HEADER_8BITS, HTML_70_90,
> HTML_FONT_COLOR_GRAY,
>         HTML_FONT_COLOR_UNSAFE, HTML_FONT_COLOR_YELLOW,
> LINES_OF_YELLING,
>         MISSING_MIMEOLE, MSG_ID_ADDED_BY_MTA_2, PRIORITY_NO_NAME,
>         SPAM_PHRASE_05_08, TO_LOCALPART_EQ_REAL, X_AUTH_WARNING)
>
>
> The same message, running through SpamAssassin 2.55 and
> MailScanner-4.22-5 gives these scores (I'm in the process of upgrading
> right now, so my test machines are running these newer versions):
>
> X-UCSC-KZIN-MailScanner-SpamCheck: not spam, SpamAssassin (score=3.6,
>         required 5, CLICK_BELOW 0.10, HEADER_8BITS 1.18, HTML_70_80
> 0.51,
>         HTML_FONT_BIG 0.27, HTML_FONT_COLOR_GRAY 0.10,
>         HTML_FONT_COLOR_UNSAFE 0.10, HTML_LINK_CLICK_HERE 0.10,
>         HTML_MESSAGE 0.10, MIME_HTML_ONLY 0.10, MISSING_MIMEOLE 0.50,
>         MSG_ID_ADDED_BY_MTA_2 0.40, PRIORITY_NO_NAME 0.46,
>         X_AUTH_WARNING -0.40)
>
>
> The current Spam Assassin looks like it has assigned 0's to the
> LINES_OF_YELLING scores, for example.
>
> (the spam in question, for those scores, was a gold and silver
> investment blurb)
>
> I wonder if it has something to do with which SA options mailscanner is
> assuming (bayes, etc.), which might not be selecting the best possible
> score sets.
>
>
> > Stephen Swaney wrote:
> >
> > Sanjay,
> >
> > I believe that you should be at version 2.55 of SpamAssassin. This
> > should make a difference.
> >
> > Steve
> > Steve Swaney
> > Steve at Swaney.com
> >
> > On Thu, 2003-07-24 at 11:38, Sanjay K. Patel wrote:
> >
> > > Thanks for the response,
> > > Here are the headers. I am using version 2.52
> > >
> > > SpamCheck: not spam, SpamAssassin (score=0.4, required 5,
> > >         FOR_JUST_SOME_AMT 0.18, HTML_50_60 0.10, HTML_FONT_BIG 0.22,
> > >         HTML_FONT_COLOR_BLUE 0.10, HTML_FONT_COLOR_GRAY 0.10,
> > >         HTML_FONT_COLOR_RED 0.10, HTML_WEB_BUGS 0.10,
> > >         ORIGINAL_MESSAGE -0.50)
> > >
> > > This was the normal buy Norton junk. It should have scored higher.
> > >
> > > SKP
> > >
> > > -----Original Message-----
> > > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
> > > Of Martin Sapsed
> > > Sent: Thursday, July 24, 2003 7:23 AM
> > > To: MAILSCANNER at JISCMAIL.AC.UK
> > > Subject: Re: More spam after spamassain upgrade
> > >
> > >
> > > Sanjay K. Patel wrote:
> > > > We are seeing more spam getting through after upgrading spam assassin to
> > > the
> > > > latest version. Even the buy Norton cheap spam is getting through. All the
> > > > spam scores below our threshold of 5.
> > > >
> > > > Have the spammers got smarter or do we need to fine tune something?
> > >
> > > Can you post the headers for e.g. a "buy Norton cheap" message which got
> > > through - the categories SA lists might help us to advise you. Which
> > > version do you mean by "the latest version"? What platform? What version
> > > of MailScanner etc etc
> > >
> > > I'm using a copy of 2.60 from a little while ago along with DCC (with
> > > it's score raised) and virtually nothing gets passed that.
> > >
> > > Cheers
> > >
> > > Martin
> > >
> > > --
> > > Martin Sapsed
> > > Information Services               "Who do you say I am?"
> > > University of Wales, Bangor             Jesus of Nazareth
> > >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030724/5a2e2f8f/attachment.html

More information about the MailScanner mailing list