SpamAssasin Tagging Valid Email Post-5.1 Upgrade

newmind · October 19, 2015, 12:10am

Hey all.

5.1 upgrade went seamlessly with exception of spam filtering.

For some reason every single email is tagged with “3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%”, which in our case either rejects the inbound message at SMTP level, or sends to the user’s spam folder due to our fairly agressive threshold defaults (5.0 and 4.0 respectively).

Disabled Bayes scanning as a tmp workaround, but would like to know what changed in 5.1 to cause all inbound email to be tagged with an additional 3.5 point spam score. Hopefully can get Bayes scanning working properly.

On the plus side, for a long time customers complained about getting too much spam. During the past week they’ve gotten no spam and a trickle of valid email :o

d2d4j · October 19, 2015, 1:34am

Hi newmind

I hope you don’t mind but I don’t use SA, we just set basic and leave to resellers to set as they need, or upgrade to enterprise mailers we run.

However, where are you setting your threshold defaults of 5 and 4. I think 5 is SMTP score threshold but I am not sure what 4 is set for.

Also, how have you set global bayes database

Many thanks

John

newmind · October 19, 2015, 2:12am

Thanks, I set smtp threshold and required_score via the control panel.

Likewise with Bayes, everything except required_score are boolean dropdown menus in the Spam settings page.

No idea what’s going on with Bayes incorrectly adding 3.5 points to every inbound email; seems to have occurred with upgrade to 5.1 as customer complaints started coming in this week WRT email problems.

d2d4j · October 19, 2015, 2:48am

Hi newmind

Many thanks

You could try, but at your own risk, sa_update -D from ssh to update rules set etc…

You may have to post here the header detail of one of the emails in full, which would help but please change any identifying detail

Many thanks

John

d2d4j · October 19, 2015, 3:03am

Hi newmind

Sorry, I meant to also state to restart SA from ssh service spamassasin restart of updating rules set

It might be an idea to restart anyway, just to make sure it is not using old version.

Many thanks

John

newmind · October 19, 2015, 6:03am

Thanks,

SA 3.4.1

I always update and restart SA on setting changes.

Here’s a valid email that got flagged prior to turning off Bayes scanning. The subject line is, “Testing Email” and the body is “Testing”. Sent from my Hotmail account (same when sending from Gmail account).

Spam detection software, running on the system “My Mail Server”,
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Testing Testing […]

Content analysis details: (4.5 points, 4.2 required)

pts rule name description

3.5 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(sit1way[at]hotmail.com)
0.2 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
0.0 HTML_MESSAGE BODY: HTML included in message
-0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
[65.55.34.81 listed in wl.mailspike.net]
-0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 TVD_SPACE_RATIO No description available.

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam. If you wish to view
it, it may be safer to save it to a file and open it with an editor.

ForwardedMessage.eml
Subject:
Testing Email
From:
my name <me@hotmail.com>
Date:
10/19/2015 08:52 AM
To:
“me@domain.com” <me@domain.com>

Testing

[QUOTE=d2d4j;27906]Hi newmind

Sorry, I meant to also state to restart SA from ssh service spamassasin restart of updating rules set

It might be an idea to restart anyway, just to make sure it is not using old version.

Many thanks

John[/QUOTE]

d2d4j · October 19, 2015, 11:09am

Hi newmind

Many thanks, and as you say, 3.5 score is what’s pushing it over.

I did a little looking into this, and from what I gather, this score can fluctuate depending upon certain conditions, so I personally am thinking it is not fully connected with IW upgrade but rather a new learning curve in the upgraded SA.

I would change your default SMTP and score to 6,7 or 8, and turn it back on, allow time to pass for learning, then lower as needed, but check the number of ham/spam during this time.

I could be wrong though, so I apologise in advance and will still look into for myself, even though I do not use SA.

Hopefully, another user may post with any insight

Many thanks

John

d2d4j · October 20, 2015, 12:44am

Hi
Just thought I’d share this link for the differences to set levels for detecting spam.
It made quiet interesting reading and I came accross it whilst doing a little reading into SA, but it is not aimed at newmind (who would have a better understanding then myself over SA), just to help other users who may not fully understand the diffrence of lowering thresholds.
Many thanks
John
http://taint.org/2008/02/29/155648a.html