Page 1 of 1

Spam mails getting through

Posted: 01 Aug 2017 22:34
by pipjo
I've noticed that mails I mark as Spam are still being delivered if they are sent again. Is there anywhere I can check:
That the mails I mark as Spam are being recorded so that future mails will be flagged?
Why these mails are still getting through.

Thanks

PJ

Re: Spam mails getting through

Posted: 02 Aug 2017 04:53
by pdwalker
The "mark as spam" trains the bayes spam classifier, which should help push up the spam score. Over time, as the bayes filter learns what you think is spam, the spam score of those messages will increase, hopefully to the point where it is marked as "high spam" and then no longer gets delivered.

can you give an example of a spamassassin spam report from one of these messages that is getting through? spam reports are essential to understanding why a message is getting delivered when it should not.

Re: Spam mails getting through

Posted: 02 Aug 2017 05:39
by pipjo
How do I get the Spam Report?

Re: Spam mails getting through

Posted: 02 Aug 2017 05:59
by pdwalker
go to the efa web interface ( mailscanner/status.php or /mailscanner/rep_message_listing.php or /mailscanner/rep_message_ops.php )

find one of the messages that you are unhappy with.

on the left side as the # column and the blue circle with the letter "i" in the middle. click on it.

that brings up the message details page, scroll down until you see the lines "SpamAssassin Score" and "Spam Report". It looks like the following:
Screen-Shot-2017-08-02-at-13.55a.png
Screen-Shot-2017-08-02-at-13.55a.png (79.16 KiB) Viewed 10886 times
and post that information.

In the above report, my bayes filters are almost certain this is junk (3 9's). I think I also increased the weight of my bayes filter at the top end of the confidence range.

Re: Spam mails getting through

Posted: 02 Aug 2017 15:21
by pipjo
Screen shot below. There are no Bayes values displayed so I'm guessing that could be part of the problem. Also I have noticed when flagging a mail as SPAM the following comes up before the EFA page, not sure if this is relevant:
Learned tokens from 0 message(s) (1 message(s) examined)
Image

Thanks

PJ

Re: Spam mails getting through

Posted: 02 Aug 2017 21:26
by shawniverson
Yeah, something is wrong with bayes. It appears it isn't learning or examining mails :think:

Re: Spam mails getting through

Posted: 02 Aug 2017 21:31
by pipjo
Is it possible that there is a setting to enable it that I have missed?

Re: Spam mails getting through

Posted: 02 Aug 2017 22:15
by shawniverson
It is supposed to be enabled by default, which concerns me. We need to troubleshoot. I think worst case you may need to clear the bayes database...

Re: Spam mails getting through

Posted: 02 Aug 2017 23:16
by pipjo
Resetting the Bayes DB wouldn't be a problem as the install is only a month or so old.

As for trouble shooting, are there any logs I could look through?

Re: Spam mails getting through

Posted: 03 Aug 2017 00:06
by pipjo
Also, is this any use?

Image

Re: Spam mails getting through

Posted: 03 Aug 2017 00:17
by shawniverson
Yeah that doesn't look right, just a month old? Check out the oldest token.

I would advise clearing it, feeding it new spam/ham, and seeing if you start getting hits.

Re: Spam mails getting through

Posted: 03 Aug 2017 03:33
by pipjo
Will do. I'll report back in a couple of days.

Thanks

Re: Spam mails getting through

Posted: 03 Aug 2017 10:15
by henk
Try feed it (bayes) some spam. :idea:

I couldn't find any settings regarding the bayes corpus in Efa, so it will be default settings.

bayes_min_ham_num (Default: 200)
bayes_min_spam_num (Default: 200)
To be accurate, the Bayes system does not activate until a certain number of ham (non-spam) and spam have been learned. The default is 200 of each ham and spam, but you can tune these up or down with these two settings.

Just run spamassassin --lint -D and check if you find the message below.

dbg: bayes: corpus size: nspam = 13, nham = 511 <---------------
Probably because your corpus is still too small.

or

Code: Select all

sa-learn --dump magic|grep token

About the oldest token: ( 2003 date)
bayes_auto_expire (default: 1)
If enabled, the Bayes system will try to automatically expire old tokens from the database. Auto-expiry occurs when the number of tokens in the database surpasses the bayes_expiry_max_db_size value.

Re: Spam mails getting through

Posted: 03 Aug 2017 11:15
by pipjo
That all makes sense.
Are there any ways to feed Bayes spam other than by receiving it?

Re: Spam mails getting through

Posted: 03 Aug 2017 11:59
by henk
The fast way is to restore the bayes db from a backup, but as I understand you do not have a backup from an previous(EFA) version.

1) sa-learn --backup > backup.txt

2) sa-learn --clear (this is optional, but good to do to clear out the old database)

3) Once you have backed up all databases you can update your configuration for the new database backend. This will involve at least the bayes_store_module config option and may involve some additional config options depending on what is required by the module.

4) For each backed up database run: sa-learn --restore backup.txt

The other way is to feed spam into bayes with mail already classified as spam. See the man pages

The option I would use in your case, is to create a temp fake mail account and start using it .
Sign in to various sites leaving this fake account as email-addres.When you reached the spam limit for bayes (> 200), delete the fake account.

Take some time to train the bayes db. It's worth the time.

Just take a look at: viewtopic.php?f=5&t=2400

Re: Spam mails getting through

Posted: 08 Aug 2017 10:32
by ovizii
just wanted to add that I often see:

Code: Select all

Learned tokens from 0 message(s) (1 message(s) examined)
that usually happens when the email didn't have anything new to add to Bayes apparently?

Re: Spam mails getting through

Posted: 08 Aug 2017 14:06
by pipjo
Thanks everyone for your suggestions. I'm rebuilding the DB (slowly) and will update once I pass 200.