1

Topic: Too much spam coming through

Hi,

I did setup iRedMail roughly a week ago and changed one of my older domains which receive a fair amount of spam to go to the new mailserver.
While the overall solution is working very well, I have the impression, that too much spam is getting through.
Sofar I received roughly 500 e-mails and around 100 are spam and not marked as such. (This is 20% of SPAM not beeing recognized, which is actually very high in my opinion).

I tracked the SPAM detection level for a fair amount of these unreported spam mails and they vary from 2.5 to 5.5
Based on the current amavis config it looks like the iRedMail defaults add the ***SPAM*** header starting from a detection level of 6.2

While it is very clear to me how I can change that level and get some of the mails marked correctly, I can and wont reduce that too much, as I want to avoid too much false-positive reports.

I think my initial question is, how can mails which contain very obvious words like suc*, dic*, blow (and versions of that in german language) pass the spam scanner with such a low score.

I ran sa-update manually in verbose mode and can confirm, that I have the latest version of the rules installed.

Any help and / or feedback would be highly appreciated

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Too much spam coming through

White wrote:

I think my initial question is, how can mails which contain very obvious words like suc*, dic*, blow (and versions of that in german language) pass the spam scanner with such a low score.

Scores are defined in SpamAssassin rules, you can change it.

3

Re: Too much spam coming through

Wich is the corrent path/file to change this rule for all accounts?

Tks
Anderson

4

Re: Too much spam coming through

I think you should also enable blacklists like Spamcop, CBL and SpamHaus, maybe also SPF checking at delivery time. I have done so and around 40% of spam gets rejected only because of these (according to Logwatch report at least). Almost no false positives.

5 (edited by awehmuth 2010-08-30 09:44:18)

Re: Too much spam coming through

awehmuth wrote:

Wich is the corrent path/file to change this rule for all accounts?

Tks
Anderson

Find it!

/etc/amavis/conf.d
20-debian_defaults
$sa_tag_level_deflt  = 1.0;  # add spam info headers if at, or above that level
$sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level
$sa_kill_level_deflt = 10.0; # triggers spam evasive actions
$sa_dsn_cutoff_level = 10;   # spam level beyond which a DSN is not sent

50-user
# Set default action.
# Available actions: D_PASS, D_BOUNCE, D_REJECT, D_DISCARD.
$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_DISCARD;
$final_spam_destiny       = D_DISCARD;
$final_bad_header_destiny = D_PASS;

Works fine for me!

6

Re: Too much spam coming through

You can define them in 50-user, it will override settings defined in other files.