What specific string to look for, and where, on a FreeBSD server?

I did these checks:

1. Searching /usr/local/etc/amavisd.conf for the strings "=0" and "= 0" returned the following:

$log_level = 0;              # verbosity 0..5, -d
$enable_db = 0;              # enable use of BerkeleyDB/libdb (SNMP and nanny)
$sa_local_tests_only = 0;    # only tests which do not require internet access?
$defang_banned = 0;  # MIME-wrap passed mail containing banned name
$smtp_connection_cache_enable = 0;
$signed_header_fields{'received'} = 0;
$log_level = 0;
$sa_debug = 0;
$allowed_header_tests{'multiple'} = 0;
$allowed_header_tests{'missing'} = 0;

2. The command "grep -iR 'tagged_above' /etc/* /var/* /usr/local/etc/*" didn't turn up anything relevant.

Also, sorry I didn't respond sooner, but the email alert about your response got classified as spam. :-)

Thanks for your response.

I haven't changed either setting. Here are their values:

$sa_tag2_level_deflt = 6.2;  # add 'spam detected' headers at that level
$sa_kill_level_deflt = 6.9;  # triggers spam evasive actions (e.g. blocks mail)

Try to query SQL table "amavisd.policy" like this:

SELECT * FROM policy WHERE policy_name='@.' \G

Show us the output please.

ps. This one is curious:

Curious because in /usr/local/etc/amavisd.conf the sa_tag_level_deflt is set to 2.0. Also, not all messages go into the Junk folder.

Thanks again for further troubleshooting clues.

Sorry, but the server still classifies as spam some messages below the configured spam threshold of 6.0, and still inserts "tagged_above=0" in email headers.  I have pasted headers below from a message classified as spam after the change.

Also, this is just cosmetic, but the server now prepends the label "5" instead of "***Spam*** " after changing the values.

What I did:

1. In MySQL, updated the amavisd.policy rows for spam_subject_tag, spam_subject_tag2, and spam_subject_tag3 from a value of NULL to a value of 5, per ZHB's suggestion.

2. Restarted the amavisd, clamav-clamd, and clamav-freshclam services.

It's clear the changes took effect because of the "5" label in the subject lines, but it still hasn't changed the false-positive rate or the "tagged_above=0" designation.

Here is a sample set of headers after the change. Thanks again for further troubleshooting advice.

Return-Path: <increased.night.driving.vision@cassionicollection.com>
Delivered-To: user@example.com
Received: from mail8.networktest.com (localhost [127.0.0.1])
    by mail8.networktest.com (Postfix) with ESMTP id 0D7BC5E6390
    for <user@example.com>; Thu, 29 Mar 2018 11:28:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at mail8.networktest.com
X-Spam-Flag: YES
X-Spam-Score: 2.701
X-Spam-Level: **
X-Spam-Status: Yes, score=2.701 tagged_above=0 required=0 tests=[BAYES_95=3,
    DCC_CHECK=1.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.418,
    SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01,
    T_REMOTE_IMAGE=0.01] autolearn=no autolearn_force=no
Received: from mail8.networktest.com ([127.0.0.1])
    by mail8.networktest.com (mail8.networktest.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 9syhSUldOSii for <user@example.com>;
    Thu, 29 Mar 2018 11:28:37 -0700 (PDT)
Received: from casserole.cassionicollection.com (casserole.cassionicollection.com [181.191.179.211])
    by mail8.networktest.com (Postfix) with ESMTPS id DD06E5E610F
    for <user@example.com>; Thu, 29 Mar 2018 11:28:25 -0700 (PDT)
Subject: 5Increase your night vision when driving
Message-ID: <tRR47.1but.mDPjRSW4yLHt2FbEo@casserole.cassionicollection.com>
To: user@example.com
MIME-Version: 1
Reply-To: increased.night.driving.vision@cassionicollection.com
From: Increased Night Driving Vision <increased.night.driving.vision@cassionicollection.com>
Content-Type: multipart/alternative; boundary="n3w-578--__-0HJD.948UJD-__--25"
Date: Thu, 29 Mar 2018 14:28:29 -0400

Sorry, same result as before -- the server still classifies low-scoring messages as spam. This is after

- setting spam_tag_level to 3;
- resetting the spam_subject_tag* fields to NULL; and
- restarting amavisd

I have pasted below an email classified as spam with an X-Spam-Score of 0.099. It also still shows "tagged_above=0".

Not sure if this is related, but I also could use some help understanding the relationship, if any, of the spam threshold in the iRedAdmin-Pro GUI (currently set to 6.0) and the values in the amavisd.policy table.

Thanks again.

Return-Path: <sender@example.net>
Delivered-To: user@example.com
Received: from mail8.networktest.com (localhost [127.0.0.1])
    by mail8.networktest.com (Postfix) with ESMTP id 669805E6104
    for <user@example.com>; Sat, 31 Mar 2018 17:10:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at mail8.networktest.com
X-Spam-Flag: YES
X-Spam-Score: 0.099
X-Spam-Level:
X-Spam-Status: Yes, score=0.099 tagged_above=0 required=0 tests=[BAYES_50=0.8,
    DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7,
    SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail8.networktest.com (amavisd-new);
    dkim=pass (2048-bit key) header.d=messagingengine.com

OK, with debug enabled, here's a message tagged as spam with a score of 2.392 (set to 6.0 in iRedAdmin-Pro and 3.0 in MySQL amavisd policy.spam_tag_level. I've pasted the headers below and relevant parts from maillog here:

https://pastebin.com/BSijAQa5

Please let me know if you need anything else.

Return-Path: <annie.from.thinkthin@factthound.com>
Delivered-To: user@example.com
Received: from mail8.example.com (localhost [127.0.0.1])
    by mail8.example.com (Postfix) with ESMTP id F0E435E640B
    for <user@example.com>; Tue,  3 Apr 2018 09:54:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at mail8.example.com
X-Spam-Flag: YES
X-Spam-Score: 2.392
X-Spam-Level: **
X-Spam-Status: Yes, score=2.392 tagged_above=0 required=0 tests=[BAYES_50=0.8,
    HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001,
    RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-1.418, SPF_HELO_PASS=-0.001,
    SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_DBL_SPAM=2.5]
    autolearn=no autolearn_force=no
Received: from mail8.example.com ([127.0.0.1])
    by mail8.example.com (mail8.example.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id b9m5dAGPcEmD for <user@example.com>;
    Tue,  3 Apr 2018 09:54:30 -0700 (PDT)
Received: from tower.factthound.com (tower.factthound.com [67.214.168.200])
    by mail8.example.com (Postfix) with ESMTPS id 709FF5E640A
    for <user@example.com>; Tue,  3 Apr 2018 09:53:27 -0700 (PDT)
To: user@example.com

You replied nearly 2 months later ... i have to recheck all posts in this thread, this is a pain.

Pasted log was filtered with 'grep', it's useless because it may hide something important for troubleshooting. Please paste FULL log.

Also, seems you just turn on debug for SpamAssassin, we need debug mode for Amavisd itself:
https://docs.iredmail.org/debug.amavisd.html

We just need the log lines related to your testing email, do not send the whole log file, it's too much work for me to find which log lines are related to the testing email.

No worries -- I know (and very much appreciate!) how hard you work to make iRedMail a great product.

Also, that last problem about no amavisd logging might be my fault. For temporary troubleshooting, I added something in amavisd.conf to log to /var/log/amavisd.conf instead, and touched that log file. BUT I didn't change ownership to the vscan user, so it remained a zero-length file for all these weeks.

Deleted that bit and restarted the amavisd service, and it looks like there is now amavisd debug info in maillog.

Waiting now for the next false positive, and will send you a link to a sanitized, complete maillog, as well as the message headers.

Thanks again!

Weird that no Amavisd debug log (but has SA debug log). We need Amavisd debug log for troubleshooting, not SA debug log.