Stops after RCVD_IN_BL_SPAMCOP_NET

Kai Schaetzl maillists at conactive.com
Sat Jan 10 09:31:16 GMT 2009 

Joe Garvey wrote on Fri, 9 Jan 2009 15:03:33 -0800:

> There are a few other
> rules that hit over 45,000 but it drops dramatically after that with
> most rules only being hit with an average of 5,000.

this is absolutely normal. If all hits where hitting each spam we could reduce the
number of SA rules to 20. If you are using extra rulesets you may assess them this
way and decide if they are (still) worth it.

With RCVD_IN_BL_SPAMCOP_NET
> having such as high hit count compared to everything else it really
> makes me wonder why no other rules are getting hit as much as it is.

because rules like spamcop and spamhaus are best used at MTA level to spare your 
MS/SA a lot of processing.

> 
> required     112,503   8,110   7.2   104,393   92.8
> DCC_CHECK  Listed in DCC (http://rhyolite.com/anti-spam/dcc)  86,708  1,066  1.2  85,642  98.8
> autolearn=spam   84,906  0  0  84,906  100
> RCVD_IN_BL_SPAMCOP_NET  Received via a relay in bl.spamcop.net  74,756  256  0.3  74,500  99.7
> BAYES_99  Bayesian spam probability is 99 to 100%  73,555  87  0.1  73,468  99.9
> URIBL_JP_SURBL  Contains an URL listed in the JP SURBL blocklist  66,847  40  0.1  66,807  99.9
> URIBL_SBL  Contains an URL listed in the SBL blocklist  64,011  15  0  63,996  100
> URIBL_SBLXBL  Contains a URL listed in the SBL/XBL blocklist  59,950  13  0  59,937  100
> URIBL_AB_SURBL  Contains an URL listed in the AB SURBL blocklist  57,969  72  0.1  57,897  99.9
> HTML_MESSAGE  HTML included in message  57,796  5,932  10.3  51,864  89.7
> URIBL_OB_SURBL  Contains an URL listed in the OB SURBL blocklist  54,305  28  0.1  54,277  99.9
> URIBL_WS_SURBL  Contains an URL listed in the WS SURBL blocklist  46,946  18  0  46,928  100
> RAZOR2_CHECK  Listed in Razor2 (http://razor.sf.net)  46,385  227  0.5  46,158  99.5
> RAZOR2_CF_RANGE_51_100  Razor2 gives confidence level above 50%  45,793  188  0.4  45,605  99.6
> RCVD_IN_XBL  Received via a relay in Spamhaus XBL  44,779  2  0  44,777  100
> DIGEST_MULTIPLE  Message hits more than one network digest check  40,121  50  0.1  40,071  99.9

This is all very well.

> Here is the values from sa-learn --dump magic
> 0.000          0          3          0  non-token data: bayes db version
> 0.000          0       6493          0  non-token data: nspam
> 0.000          0        847          0  non-token data: nham
> 0.000          0     207718          0  non-token data: ntokens
> 0.000          0 1231449300          0  non-token data: oldest atime
> 0.000          0 1231541795          0  non-token data: newest atime
> 0.000          0 1231541368          0  non-token data: last journal sync atime
> 0.000          0 1231519200          0  non-token data: last expiry atime
> 0.000          0      86400          0  non-token data: last expire atime delta
> 0.000          0       1792          0  non-token data: last expire reduction count

this is all very well, except that you are slashing your bayes db each day, your
latest token is from one day ago. I wouldn't that.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

More information about the MailScanner mailing list