[Mimedefang] poor performence from SA

[Gary Funck]

> -----Original Message-----
> From: ms at interspace.net
> Sent: Wednesday, January 11, 2006 6:51 AM
>
> I'm fed up with SA !
> Spam gets through no matter what i do :-(
> and  ham is blocked.... (well not all ham, but even one is
> sometimes too much)

Unfortunately, this is the nature of the beast.  "False positives",
where ham is classified as spam, are the worst, but do occur.  Similarly
some spam gets through.  You can improve the situation by taking
various steps such as: (1) raising the spam threshold, (2) implementing
manual whitelists and blacklists, (3) using various black list name
servers, (4) Adding custom rules such as those at
http://www.rulesemporium.com/index.html, and (5) greylisting.
Personally, I don't like tweaking the overall spam threshold as
mentioned in (1), above, but prefer to decrease the score on certain rules
that seem to trigger false positives, and to increase the score
for rules that seem good at detecting spam. I've also strayed away from
using Bayes, because I found it difficult to maintain and manage and
have had decent luck using the other techniques.

One thing that can be done when you initially set up Spamassassin
is to make sure you have trusted_networks set correctly and then
add a bunch of whitelist_from_rcvd rules for hosts that send promotional
literature that you want to accept, so it won't get scored as spam.
You can also ask your boss, the CEO, and executive staff to go through
their inboxes and give you a list of from addresses of customers and
friends that they want to accept mail from and add those to your SA
whitelist rules.  This is a bit ad hoc, but increases the chances that
SA performs well (at least at first. <g>) and ensures that much of the
important mail will make it through.  There might be better,
more elaborate, mechanisms that can be applied, but for a small system,
this sort of "personal touch" approach is manageable.

Whatever changes you make, do them incrementally.  Make sure they're
having the desired effect before moving on to the next one.  Also,
_always_ remember to restart the various demons involved (ie mimedefang
and/or sendmail), after making changes.

As others have mentioned, if you want something quicker, turnkey,
with support try CanIT: http://www.roaringpenguin.com/


> My boss got MAD because he was expacting a mail from some
> client...so i checked
> the logs...mail.log ofcourse, i saw the usual from=<bla>...Milter
> add: header:
> X-Scanned-By: MIMEDefang 2.54 on x.x.x.x , to=<bla> stat=Sent
> BUT the mail was gone!! nowhere to be found!!
> not in the mailbox (/var/spool/mail/Xbox) not in spamdrop nowhere!!

You'll need to provide us with the mail log entries if you want help
on that.  Suffice it to say it is highly unlikely that the mail was
dropped.  It is more likely that a follow-on delivery/filtering program
such as procmail refiled the mail somwewhere you're not looking.  It is
also possible that Mimedefang quarrantined the mail for some reason.  By
looking at all the log messages you should be able to clear that up.

> i going crazy!
> so i whitelisted the origin domain and it worked...i started getting the
> emails...
> What am i doing wrong???!!!???

It isn't bad to whitelist important domains, but try doing it using
trusted_networks and whitelist_from_rcvd, to avoid spoofing.

What is bad is not first understanding the cause of the problem (lost mail)
before shooting from the hip to "fix" it.  When some other domain comes in,
and has its mail "lost", you're still at square one on that one.

>
> Details (i know you want them...):
> OS: debian serge 3.1a
> Sendmail 8.13.4 + mimedefang 2.54 + SA 3.0.3 + clamav
>
> What else? did i forget anything?

If you want help, you'd need to provide:
1. all log entries for the problem mail (hint: grep on the mail queue id)
   and submit them here.
2. provide your mimedefang-filter either as an attachment or via URL.
3. provide the output of 'mimedefang.pl -features' as an attachment or
   via URL.
4. provide your sendmail.mc file either as an attachment of via URL.
5. you need to understand if you're using procmail for mail delivery and
   if it has any default or custom filters in place.  If you are using
   procmail, consider turning on logging (LOGABSTRACT=on) for each user,
   at least for now, but keep in mind the logfiles will keep growing,
   so you'll need a method to trim them back, if you keep logging
   turned on.
6. you should disable spamd if it is enabled
7. you should understand if you have other 'milters' (such as
spamass-milter)
   installed and enabled that may be interacting with Mimedefang and disable
   them.

> From: ms at interspace.net
> Sent: Thursday, January 12, 2006 1:55 AM
>
> I have upgraded to SA 3.1 but i get strange actions...

I would _not_ have upgraded SA until I understood what problems I expected
it to fix.  You've just introduced new variables.

BTW, as you upgrade to newer versions of SA (and Mimedefang) you increase
the need to make sure that you have the latest versions of the Perl
interpreter and related packages, because there may be unknown hidden
dependencies.

> I think that the SA is now checked before mimedefang filters and
> skips other
> filters...(but i'm not 100% sure about that? how can check?)
>

If SA is checked before Mimedefang, it can likely only be because
you inadvertently installed other "milters", such as spamass-milter.

Given the problems you're seeing, the only way you can get help here
is to post a few representative mail log sequences (by grep-ing on
the queue id), and by posting your mimedefang-filter, and other
info. mentioned above, either as an attachment, or via a URL,
so that others can review it.

> I stop about 1000 spam mail per day and get about 3000 legit mail per
> day (some of it SPAM!!).

You're doing better than the rest of us ... we generally see 2x more spam
messages than ham.  I would guess that our false positive rate (ham
misclassified as spam) is less than 0.1%, and false negative rate
(spam misclassified as ham) is roughly 0.3%.  We think that is about as
good as it is going to get.  We find that most of the false positives are
glitzy
marketing mail, so don't sweat that too much.   Still, 0.1% is 1 in a 1000,
which means that it will occasionally have a negative impact.

> I noticed another very anoing problem that I posted before but could NOT
> resolved it here...which is GOOD email with spam score less then
> 5 end-up in
> spamdrop instead of delivered to user mailbox!!!!!
> and checking the headers it says:
> [quote]
> X-Spam-Status: No, score=3.1 required=5.0 tests=DATE_IN_FUTURE_96_XX,
>         MSGID_FROM_MTA_ID autolearn=no version=3.0.3
> [end quote]
> this was from the spamdrop mailbox!! why is it there is the
> spam-status is NO
> ???

Based upon what you've said, it sounds like you may have a follow-on
filter program such as procmail that is mishandling or misfiling the mail.

Which program actually delivers mail to "spamdrop"?  It likely is _not_
Mimedefang.  It very likely is procmail, or a similar mail filtering
program.

>
> HELP!!!

You'll need to provide more (specific) info.