MS/SA Installed - How is it working?

Matt Kettler mkettler at evi-inc.com
Thu Oct 12 21:17:49 IST 2006


Daniel Straka wrote:
> This kind of goes along with Chris Yuzik's post "spam getting through
> without even being checked" (see below).
> 
> So I've got MS running with SA. It seems to be doing OK, but how do I
> know?
>  Yes, I bought the book.
> I would like to know...

Well, you've got a lot of questions I could write a book about each one.
However, I'll try to give you a little bit of wisdom on each. Hopefully others
do the same and you'll get a lot of good advice.

> How to tell if MS is running well?

My suggestion: use mailscanner-mrtg, or something similar that monitors a lot of
mailscanner and graphs it. Watch the inbound queue, if it starts growing, and
keeps growing, somethings not working well.

This also lets you watch virus and spam hit rates. After a while you'll get a
feel for what's "normal". From there you'll be able to see if something is worth
investigation. ie: if you normally get 10-50 viruses a day, and suddenly there's
none for 2 days in a row, your virus scanning is probably broken.

You can also test it periodically by emailing yourself an eicar test virus, or
have a website do it for you (ie: http://www.aleph-tec.com/eicar/index.php)


> How to tell if SA running well?

This is a bit harder. You can watch the spam catch rate with mrtg. Spam rates
are normally fairly linear, so if your SA starts missing a lot the normal
triangular graph will start looking like a shallow staircase.

Also keep an eye out for ".expire" files in the directory where your bayes DB
lives (look for bayes_toks on your machine). These are a sign that your
MailScanner is timing out SA instances during bayes database expiry. Extend your
spamassassin timeout in MailScanner.conf if it crops up.


> What maintenance is required?

Generally speaking, little.

Keep your AV updated regularly (MS will generally do this for you with most AV
packages. However, some need manual updating, ie: command av, which uses
passworded FTP downloads).

Update SA periodically (unless there's a security hole you don't have to jump to
the latest release every time, but it's advisable to keep relatively recent)


> When should I tweak MS?
> When should I tweak SA?

When you start having problems of mis-tagging.

> What are essential SA tweaks?

make sure your trusted_networks is set properly. see
http://wiki.apache.org/spamassassin/TrustPath

Browse the /etc/mail/spamassassin/*.pre files to see if there are any plugins
you want to use. Note that some of these require 3rd party software to run. (ie:
SPF, DCC, Razor, pyzor), but you can find that in the manpage for the plugin.

See the plugin docs at:
http://spamassassin.apache.org/full/3.1.x/dist/doc/
Named Mail_SpamAssassin_Plugin_*



consider using sa-update.

Cautiously consider using add-on rulesets. (DO NOT use sa-blacklist or
sa-blacklist-uri unless you consider 1GB a small amount of RAM)

http://wiki.apache.org/spamassassin/CustomRulesets

Note: don't go hog-wild with the add-ons. I'd really suggest adding no more than
3 at a time.

A very common problem is someone who just downloaded SA, installed every add-on
ruleset that exists, fires it up and wonders why their server is grinding to a
halt. There is such a thing as too much, but you can probably safely add 10-20
files that are under 128k. The "too much" line depends a lot on how much RAM you
have to spare. Each added rule takes a little extra ram. A lot of added rules
take a lot of extra ram.


For what it's worth I use:

53868 Apr 21 10:44 70_sare_adult.cf
24298 Oct  5  2005 70_sare_evilnum0.cf
 1574 Sep 16  2005 70_sare_evilnum1.cf
45933 Dec 30  2005 70_sare_genlsubj0.cf
28066 Jun  4 01:00 70_sare_html0.cf
51886 Oct 12  2005 70_sare_obfu0.cf
18190 Dec 15  2005 70_sare_random.cf
97820 May 27 23:00 70_sare_specific.cf
52048 Apr 10  2006 70_sare_stocks.cf
17879 Oct 12  2005 70_sare_uri0.cf
 1467 Apr 21 10:44 71_sare_adult_rescore.cf
57580 Sep 16  2005 99_FVGT_Tripwire.cf
10147 Jun  1  2005 99_sare_fraud_post25x.cf

Along with 30-some odd custom rulesets of my own design for local needs. Most of
these are very small (ie: under 1k)

> How do I tweak SA?

There's a million ways, from simple tweaks like the above to writing your own
add-on rules and plugins.

That said your common simple tweaks are:
-adjusting required_score
-making use of whitelist_from_rcvd
-making use of sa-learn for bayes training, this helps correct spam that's
getting low BAYES_xx scores, or nonspam that's getting high ones.


> How about a MS/SA crash course (tips) from the experts?

See above.


More information about the MailScanner mailing list