Bayes not learning? exchange environment

Glenn Steen glenn.steen at gmail.com
Wed Nov 21 10:08:34 GMT 2007 

On 21/11/2007, Joey Marino <joey.da3rd at gmail.com> wrote:
> >> I recently installed a mailscanner filter in front of my exchange
> >> server. It was working fine for a few weeks then slowly let more and
> >> more spam through. Today it's letting alot of spam through. I am
> >> trying to verify that Bayes is learning, how would I do that? Also how
> >> do I verify that the spam rules are being updated?
> >>
> >> I also tried to place spam in a public folder on my exchange server
> >> and update bayes with these emails using this method provided by the
> >> wiki
> >>
> http://wiki.mailscanner.info/doku.php?id=documentation:anti_spam:spamassassin:sa-learn:msexchange
> >> It just stops executing at this line in the python script:
> >> log.write(commands.getoutput("%s --prefs-file=%s --spam %s" %
> .> (SALEARN, PREFS, TMPFILE)))
> >> any ideas? I'm trying to determine what this line is accomplishing.
> >>
> >> Joey Marino
>
> >Is there any bayes scores in the headers of the messages?
> >Are you running any extra rules from rulesemporium.com?
> >Are you properly set up to not accept mail to non-existent addresses?
> >Does your exchange server have a non-public address that can only be
> reached
> >by the mailscanner box? Otherwise the spammers will find it.
>
>  1. I am new to this, so please excuse any dumbness I may portray
>  I am not sure how to read the headers other than the reports from MailWatch
>  Here is an example header:
>  Return-Path: <�g>
>  Received: from pyszczek (bhc145.neoplus.adsl.tpnet.pl [83.28.92.145])
>       by localhost.localdomain (8.13.1/8.13.1) with ESMTP id lAKNStWv009338
>       for <elliott at whippleauction.com>; Tue, 20 Nov 2007 18:28:57 -0500
>  Received: from [83.28.92.145] by mx1.biz.mail.yahoo.com; Wed, 21 Nov 2007
> 00:28:56 +0100
>  Message-ID: <01c82bd5$80c67fa0$915c1c53 at lbarlow>
>  From: "Marty Kimball" <lbarlow at nanapun.com>
>  To: <elliott at whippleauction.com>
>  Subject: MoneybackPolicyInternationalPharShipping
>  Date: Wed, 21 Nov 2007 00:28:56 +0100
>  MIME-Version: 1.0
>  Content-Type: multipart/alternative;
>       boundary="----=_NextPart_000_0007_01C82BD5.80C67FA0"
>  X-Priority: 3
>  X-MSMail-Priority: Normal
>  X-Mailer: Microsoft Outlook Express 6.00.2900.2905
>  X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2905
>
>  Now the information in the rows following "SpamAssassin" in this particular
> report show all [N]'s
>  In the messages that were recognized as spam, The  "SpamAssassin
> Autolearn:"  row show's [Y]
>  I hope that answers the first question
What Scott meant is the headers that MailScanner adds, specifically
the rule hits... The headers in MailWatch are prior to them being
added, but then.... MailWatch has all that info on the details page
anyway:). In the Spam Report section, what rules are listed? Is there
mention of Bayes? You could cut'n'paste that... We'll help you "read"
it;-).

>  2. I ran rules_du_jour (which is also in my cron tab) and the report shows
> that I did update rules from SARE. This message was in my summary report:
>  No index found for ruleset named ANTIDRUG.  Check that this ruleset is
> still valid.
If I'm not entirely wrong, the recommendation is to use sa-update for
this ... since a little while back. Check the archives of this list,
as well as the wiki, I think there is an article on how to do this.

>  3. I don't think I am set up to not accept mail to non-existent addresses,
> I didn't create a list of existing email addresses or link it to my exchange
> server active directory. How would I do this and how would this help?
http://wiki.mailscanner.info holds a lot of really good information.
Do read through the MAQ at least, it contains directions on how to do
this (depending on MTA etc). It will make a huge difference.

>  4. I believe the exchange server does have a private address. All incoming
> SMTP requests are staticly routed to the mailscanner box. I ran a DNS lookup
> for the hostname of the box and nothing was found. How else would I verify
> this to be correct?
Since you cannot find the name, you could test with the actual
address. If the M-Sexchange server has a private IP address, perhaps
protected by a firewall, check that FW to see that there is no NAT
leading directly to it.

To give better help, please include as much information as you can...
Version of OS, MTA, MailScanner, AV, etc etc.

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list