Is Spam Assassin negatively impacted by recent upgrades?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • scampisi
    Junior Member
    • Aug 2006
    • 8

    Is Spam Assassin negatively impacted by recent upgrades?

    I am using Postini on certain of my accounts, but I am using Spam Assassin on almost all of them. I have noticed an incredible increase in SPAM over the past month or two on my accounts that are using Spam Assassin only and I was wondering if it was a result of the upgrade to my server, cpanel55, or if it was just an increase in less detectable spam. Anybody experiencing this?

    I noticed after the upgrades, that any client that I had customized the Spam Assassin filter for (by changing the Spam score threshold only) had to be reset, but the recent increase in Spam had me wondering if there were some other changes that I need to make. I have set me score down as low as 3 on one of my accounts, but that is pretty scary. Has the "Scoring" system changed?

    I was just wondering if there were configuration changes that needed to be made. Thanks for any info anybody has.
  • AndrewT
    Administrator
    • Mar 2004
    • 3653

    #2
    SpamAssassin scanning itself has not changed and does not change between server upgrades.

    SA is no where near as effective at detecting and removing spam as Postini is. It never has been and never will be.

    You can look at the headers of each e-mail and see what score SA is giving the e-mail and you can then adjust your auto-delete via cPanel accordingly. You could even set it to delete with scores above 5 and for scores 2-5 to move to a different folder.

    Comment

    • scampisi
      Junior Member
      • Aug 2006
      • 8

      #3
      When I was formally setting up SpamAssassin, I would have it rewrite the subject line and include the score assigned to each piece of mail. I would then determine which value to use as a threshold based on that information. I can't seem to find a way to rewrite the subject with the score any longer. I have also looked through the headers of the SPAM I am receiving and am unable to see any score assigned. I tried turning off my "auto delete" to see if that had an effect and it didn't. here is a header from one of my recent spams. I have changed my email address to xxx@xxx.com for obvious reasons.


      From - Tue Feb 05 12:13:18 2008
      X-Account-Key: account3
      X-UIDL: UID7498-1162334523
      X-Mozilla-Status: 0001
      X-Mozilla-Status2: 00000000
      X-Mozilla-Keys:
      Return-path: <luigi@franceloisirs.com>
      Envelope-to: xxx@xxx.com
      Delivery-date: Tue, 05 Feb 2008 11:50:12 -0600
      Received: from exprod8mx208.postini.com ([64.18.3.108] helo=psmtp.com)
      by cpanel55.gzo.com with smtp (Exim 4.68)
      (envelope-from <luigi@franceloisirs.com>)
      id 1JMRvv-0007Kr-0D
      for xxx@xxx.com; Tue, 05 Feb 2008 11:50:11 -0600
      Received: from source ([72.45.98.189]) by exprod8mx208.postini.com ([64.18.7.14]) with SMTP;
      Tue, 05 Feb 2008 12:50:01 EST
      Message-ID: <000801c86830$05dcbee7$e0a68388@taicmab>
      From: "Exquisite Replica" <luigi@franceloisirs.com>
      To: "Replica Watches" <xxx@xxx.com>
      Subject: Watches
      Date: Tue, 05 Feb 2008 18:02:41 +0000
      MIME-Version: 1.0
      Content-Type: multipart/alternative;
      boundary="----=_NextPart_000_0005_01C86830.05D7DEEF"
      X-Priority: 3
      X-MSMail-Priority: Normal
      X-Mailer: Microsoft Outlook Express 6.00.2900.3138
      X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
      X-pstn-levels: (S: 0.00000/43.69844 CV:99.9000 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
      X-Antivirus: avast! (VPS 080204-0, 02/04/2008), Inbound message
      X-Antivirus-Status: Clean

      This is a multi-part message in MIME format.

      ------=_NextPart_000_0005_01C86830.05D7DEEF
      Content-Type: text/plain;
      charset="iso-8859-1"
      Content-Transfer-Encoding: quoted-printable

      Comment

      • AndrewT
        Administrator
        • Mar 2004
        • 3653

        #4
        You do not have any easy control over the rewriting of subjects as cPanel removed this. Instead you will get ***SPAM*** if the score is 5 or higher.

        The headers that you've shown do not have SA data in them. Either the server got hit hard with e-mails and was unable to process them all at that particular moment or SA isn't enabled on the domain. Rather than delay e-mails it will deliver them without scoring them if they cannot immediately be scored.

        Comment

        • scampisi
          Junior Member
          • Aug 2006
          • 8

          #5
          This is what my Spam Assassin screen looks like. (I have disabled "Auto Delete" to see if I get the SPAM message in the header and to see what impact it has on the amount of SPAM I'm receiving)

          ----------------------------------------

          SpamAssassin is currently Enabled.

          Filters

          Spam Auto Delete is Disabled

          You can automatically delete messages marked as spam. First set the number of hits required before mail is considered spam.

          (Note: 5 is the default setting. The higher the number, the more conservative the setting.)

          Comment

          • AndrewT
            Administrator
            • Mar 2004
            • 3653

            #6
            If it is enabled then you should be able to check several of your e-mails and see that they do have Spam Assassin headers in them. Occasionally e-mails will get through without them as I noted above but for the most part they should be present.

            If you do not see the headers then please submit a ticket with the specific e-mail address in question and we can take a look at it.

            Comment

            • jordi
              Junior Member
              • Dec 2007
              • 2

              #7
              I also have noticed an incredible increase in Spam over the past month using only SpamAssassin.

              Comment

              • AndrewT
                Administrator
                • Mar 2004
                • 3653

                #8
                Spamming techniques are always changing. SpamAssassin, however, virtually does not. An adaptive filtering system, such as Postini's filtering, will always perform much better. If the spam poses that big of a problem for you, then you should consider it.

                You are also only seeing one side of the story. You do not see that the overall volume of e-mail (mainly spam) being processed has significantly increased nor do you see how much spam the server is actually blocking. A good 85% of the e-mails that we process are tagged as spam.

                One thing that you may want to try doing is lowering your auto-delete rule for SA in cPanel. The lower the score the more spam will be blocked however it is also possible for the server to start rejecting legitimate mail if the score is set too low. If you view the full headers of the spam e-mails that you are receiving, you will be able to see what score SA assigned to that particular e-mail. You can then adjust your auto-delete rule accordingly.

                Nothing has changed in the way that SA fundamentally scans e-mails. If anything, the catch rate has increased as we have added hardware upgrades to the SA server in the past few weeks so that it could keep up with very high spikes in incoming e-mail instead of passing a bunch of e-mails on without any scores at all.

                Comment

                • jordi
                  Junior Member
                  • Dec 2007
                  • 2

                  #9
                  Thanks for your reply Andrew. I will look at message headers in order to lower the spam score (if I can).

                  Comment

                  • ZYV
                    Senior Member
                    • Sep 2005
                    • 315

                    #10
                    You mean that after the upgrades, the SA server is blocking (tagging as SPAM) the same percentage of e-mails (said 85%), but the amount of SPAM has significiantly increased, so, say, when I've been getting 100 messages per day and it was blocking 85% I've been getting 15 e-mails, now they send 200 mails so I get 30? Could you please provide some stats like you're doing every moth for Postini?

                    P.S. I am using SA+Evo on my desktops. It's performing VERY well (blocking like 97%-98% of SPAM and not blocking legitimate mails at all), but it took some time to train it and the amount of SPAM increases every two weeks and decrease after a day of training.

                    Comment

                    • AndrewT
                      Administrator
                      • Mar 2004
                      • 3653

                      #11
                      Not quite.

                      I was referring to the hardware upgrades that the SA server underwent not too long ago. This is not to be confused with the shared hosting server upgrades. Prior to the SA server upgrades quite a few e-mails were getting through without being scored due to the SA server not being able to handle the volume of e-mail that was coming through during spikes. Now the SA server is not having any problems with keeping up.

                      I was just stating that in general, the volume of e-mail (most of which is spam) has increased. This is not caused by upgrades or anything of that nature, it just happens and as this trend continues there is more spam to fight with and more will inevitably get through.

                      The last time I ran any quick stats on the SA server, roughly 85% of all e-mails that it processed were marked as spam with a score of 5.0 or higher. That is certainly not to say that the other 15% were spam e-mails that simply got through. The vast majority of the remaining 15% are perfectly legitimate e-mails. The spam e-mails that get through might account for 2-3% of the total mail volume at most.

                      SA can be fairly effective when configuring it (from a server standpoint) for a single domain or even a small set of domains. But as you noted, even that takes quite a bit of continuous work to adapt it to your particular e-mail content. SA is just not something that you can setup and forget about.

                      We're running it for thousands of domains and because of this we have to error on the side of caution. We would much rather a couple of spam e-mails get through than to delete legitimate e-mails.

                      As far as providing monthly SA stats like the ones that I post for Postini, that simply isn't feasible nor is it worth the processing power. This would require us to parse hundreds of gigabytes worth of SA log files every month. The Postini stats are posted because their system generates them automatically and they are readily available to us.

                      When I recommend the Postini service it is not so that we can make some more money. We hardly make anything off of these accounts when its all said and done. Postini enterprise accounts are not cheap. We offer the service simply because it is superb at what it does. For some, the spam is annoying enough to warrant the additional cost.

                      Postini is also one of those things that you really can just setup and forget about. Their filtering technology is always adapting to new threats.

                      Comment

                      Working...