New high rate of false positives in Mailscanner?

I too noticed an increase, and the those emails had Bayes_99 scoring, which scored those particular emails at 5 and marked them as Spam. I went looking for a way to rebuild the Bayes database but couldn't find it. So I disabled Bayes checking until I had some spare time to look into it further. It's stopped the false positives, and seems to be catching all the Spam without it, so I may leave it disabled. From what i've read Bayes adds a load to the server when checking.

 

Same for me, same cause. Seems more prominent in one domain, but it is a busy domain with a lot of users.

 

It's due to new rules included in the base set for SpamAssassin v3.2.0. Left running they can disrupt the bayesian database and you see an increase in false-positives. You can either:

1. Do as graham_w suggests and disable bayes, though this can be a very useful resource

2. Increase the default low scoring spam value, though that could allow through more flase-negatives

3. Hunt down the rules causing the problems from the false-positive email headers and adjust their scores in a custom SA ruleset in /etc/mail/spamassassin/

 

Here's one that's typical of some of the false positives I've been getting.

cached not
score=9.592
8 required
5.00 BAYES_99 Bayesian spam probability is 99 to 100%
3.20 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
0.00 HTML_MESSAGE HTML included in message
1.40 MIME_QP_LONG_LINE Quoted-printable line longer than 76 chars
-0.00 SPF_PASS SPF: sender matches SPF record

... hard to know what to adjust. Other than the the BAYES_99 the bulk of the score is because of the from address which is not that odd of an address, mstrbjngls@ ... the message itself is pretty normal stuff

 

I would just add the following to what chirpy has suggested:

4. If it seems that your bayes database has been "poisoned" by the increase in false positives, remove the bayesian database and start over. Depending on your email traffic, it may take a few days before bayes has enough spam and non-spam tokens to start scoring email again (I think it needs 200 of each before it starts working). To wipe out the bayesian db, do the following:

rm -Rvf /var/spool/mqueue/.spamassassin