The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New high rate of false positives in Mailscanner?

Discussion in 'cPanel Developers' started by dory36, May 16, 2007.

  1. dory36

    dory36 Well-Known Member

    Joined:
    Aug 30, 2003
    Messages:
    179
    Likes Received:
    0
    Trophy Points:
    16
    Over the past week or two I have been getting a lot of false alarms on mail that had been handled fine for many months. By "a lot" I mean maybe a dozen a day, versus about 1 a week until recently.

    Bayes seems to be to blame for many, but not all.

    I have seen before, but can't find now, info on rebuilding the bayes database. Any pointers, or other suggestions?
     
  2. graham_w

    graham_w Well-Known Member

    Joined:
    May 25, 2004
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    I too noticed an increase, and the those emails had Bayes_99 scoring, which scored those particular emails at 5 and marked them as Spam. I went looking for a way to rebuild the Bayes database but couldn't find it. So I disabled Bayes checking until I had some spare time to look into it further. It's stopped the false positives, and seems to be catching all the Spam without it, so I may leave it disabled. From what i've read Bayes adds a load to the server when checking.
     
  3. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Same for me, same cause. Seems more prominent in one domain, but it is a busy domain with a lot of users.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's due to new rules included in the base set for SpamAssassin v3.2.0. Left running they can disrupt the bayesian database and you see an increase in false-positives. You can either:

    1. Do as graham_w suggests and disable bayes, though this can be a very useful resource

    2. Increase the default low scoring spam value, though that could allow through more flase-negatives

    3. Hunt down the rules causing the problems from the false-positive email headers and adjust their scores in a custom SA ruleset in /etc/mail/spamassassin/
     
  5. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Here's one that's typical of some of the false positives I've been getting.

    cached not
    score=9.592
    8 required
    5.00 BAYES_99 Bayesian spam probability is 99 to 100%
    3.20 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
    0.00 HTML_MESSAGE HTML included in message
    1.40 MIME_QP_LONG_LINE Quoted-printable line longer than 76 chars
    -0.00 SPF_PASS SPF: sender matches SPF record

    ... hard to know what to adjust. Other than the the BAYES_99 the bulk of the score is because of the from address which is not that odd of an address, mstrbjngls@ ... the message itself is pretty normal stuff
     
  6. sct1061

    sct1061 Registered

    Joined:
    Mar 24, 2004
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    I would just add the following to what chirpy has suggested:

    4. If it seems that your bayes database has been "poisoned" by the increase in false positives, remove the bayesian database and start over. Depending on your email traffic, it may take a few days before bayes has enough spam and non-spam tokens to start scoring email again (I think it needs 200 of each before it starts working). To wipe out the bayesian db, do the following:

    rm -Rvf /var/spool/mqueue/.spamassassin
     
Loading...
Similar Threads - high rate false
  1. Stephen Wilkey
    Replies:
    3
    Views:
    244
  2. sparek-3
    Replies:
    2
    Views:
    395

Share This Page