spamassassin some spam getting through

ssgill

Verified User
Joined
May 9, 2012
Messages
88
Hello all, i have issue with spam getting through. I am using the latest build of exim, exim config and SpamAssassin.
SpamAssassin is working in general because mail is being marked spam and sent to user spam folder but issue is that few of them are not marked spam.

My spam thresh hold is set to 5

Return-Path: <eccl@gyesculch.faith>
Delivered-To: user@mydomain.ca
Received: from server1.mydomain.com
by server1.mydomain.com with LMTP id ONBwNm9RjllZCAAAGPd+5w
for <user@mydomain.ca>; Fri, 11 Aug 2017 18:53:03 -0600
Return-path: <eccl@gyesculch.faith>
Envelope-to: user@mydomain.ca
Delivery-date: Fri, 11 Aug 2017 18:53:03 -0600
Received: from [194.67.194.239] (helo=gyesculch.faith)
by server1.mydomain.com with esmtp (Exim 4.89)
(envelope-from <eccl@gyesculch.faith>)
id 1dgKfk-0000oS-AY
for user@mydomain.ca; Fri, 11 Aug 2017 18:53:03 -0600
From: "Mildred" <eccl@gyesculch.faith>
Date: Fri, 11 Aug 2017 19:41:39 -0500
MIME-Version: 1.0
Subject: Date Easy with English Speaking Russian and Ukrainian Women
To: <user@mydomain.ca>
Message-ID: <9DeLmqvSlJuz7rmh9I9gV5g6wtRwrfwzixfDKiK8kuU.g5DnQ5pxA7aCPSegsfVBcpDUdBq44XIElrjhsJ8pyLw@gyesculch.faith>
Content-Type: multipart/alternative;
boundary="------------01942973284446684151705"
X-Spam-Score: 0.6 (/)
X-Spam-Report: Spam detection software, running on the system "server1.mydomain.com",
has NOT identified this incoming email as spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: breadandbutter I out Sheriff you me over by first Miss wall
on of hanged very the travelling friend innocence dead to trousers my seemed
was the idea use glass took broke Pip on blue hair was OpE my powerfully
I parlour and easing Judging her even for it way and consider all than been
When following the on my paper his In R OPE at you had up divorced tell wouldnt
myself aint pretended or OpE washing all mouth night [...]

Content analysis details: (0.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
1.7 URIBL_BLACK Contains an URL listed in the URIBL blacklist
[URIs: gyesculch.faith]
0.0 T_SPF_HELO_PERMERROR SPF: test of HELO record failed (permerror)
0.0 T_SPF_PERMERROR SPF: test of record failed (permerror)
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
SpamTally: Final spam score: 6
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
X-Spam-Score: 0.6 // This is clearly not correct, should be higher, similar messages have score of 5.8 but in this case very low.

SpamTally: Final spam score: 6 // Final score is above 5 so this mail should be marked as spam but not.

Points for failing few tests is 0, i think points should be added in those cases.

Any idea how to fix this.
Thanks for your time.
 

James2k

Verified User
Joined
Nov 28, 2012
Messages
38
There are always going to be spam samples which do not directly get flagged, even if you the lowest thresholds. Its all down to characteristics and scoring.

First of all SpamTally and the defined threshold are not the same thing. The mail wasn't flagged as spam because it scored 0.6 out of 5.0 overall.

In this email sample, notice:

Code:
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Basically the Bayes learning system didn't pick it up as spam. You can do a couple of things to teach SpamAssassin about this email.

https://help.directadmin.com/item.php?id=358

Setup a regular cron job to feed SpamAssassin ham (safe) and spam emails, that way SpamAssassin can better profile future mail items.

In addition to bayes, you can enable DCC and Pyzor for more spam scoring/detection

DCC:
https://wiki.apache.org/spamassassin/UsingDcc

Pyzor:
https://wiki.apache.org/spamassassin/UsingPyzor

I've found often when Bayes hasn't profiled the email as spam before DCC usually picks up bulk spam and adds about a 3.0/4.0 scoring, which would of caught the sample attached. You can of course customise the scoring metrics to be lower if needed.

There are also specific posts on this forum about enabling DCC/Pyzor if you need help. You'll need to open certain TCP/UDP ports in your firewall to connect to these services.

Also if a specific mail item keeps getting through, you can throw in a few keywords present to make sure it goes to the spam folder. Just be careful about false positives when writing keyword phrases.

Hope this helps!
 
Top