Sa-learn -- per user or server-wide?

[ncrossland]

In an effort to try and improve Spamassassin's detection rates, I've been feeding sa-learn with spam it has missed. I'm doing this as root via SSH.

I know that SA stores some data on a per-user basis (such as auto-whitelist) etc -- so will whatever SA learns from these messages only be applied to mail coming to root, or will the learning be used across all accounts?

 

[bigj]

It's global. Feeding it helps a bit. I frequently implement custom filters in /etc/antivirus.exim when I see unique patterns in subject lines and 'from' addresses that SpamAss won't catch.

One thing I've noticed is Exim doesn't look at the 'from' address and validate it for valid characters. For example a message comes in from Tanganyika'[email protected].

Exim won't reject the message though it should since there is a single quote in the address. I've received almost 10K of this in a month so I used the filter set to block anything that has a single quote in the from address.

I'm sure there is a setting in Exim to catch this but I hate reading their documentation and I knew how to setup the filters. A bit OT I know but I had to complain about it

--
bigj

 

[ncrossland]

Thanks. I recently had loads with apostrophes in too. Can you give an example of the filter file you use?

Another one recently was "Windows Vista is ready to download" - thousands of them!

 

[bigj]

The first thing you'll need to do is make sure that in /etc/exim.conf you have a line that looks similiar to this:

#!!# message_filter renamed system_filter
system_filter = /etc/antivirus.exim

I believe the first line was already in there and only had to add the second line. One warning. If you upgrade exim or make additional changes through the exim configuration in cpanel you'll lose the above information if it wasn't already in there. To make it permanent you'll need to place those changes in /etc/exim.conf.dist. The reason I'm not suggesting you write the changes immediately to the dist one is so you have a backup to roll back to in case you have a problem.

Second thing to do is open up /etc/antivirus.exim and insert something similiar to this:

logfile /var/log/filter.log 0644
if
$header_subject: contains "it's me" or
$header_subject: contains "Greetings" or
$header_subject: contains "advice" or
$header_subject: contains "FINANCIAL REPORT" or
$header_subject: contains "Alert !" or
$header_from: contains "'" or
$header_subject: contains "check this"
then
logwrite "$tod_log $message_id from $sender_address contained spam keywords"
seen finish
endif


A lot of this was taken from here: http://www.webhostgear.com/338.html. It's a decent reference and worth bookmarking.

Here's a warning though. Be very careful what you filter on. Some of mine in the past were filtering on things like "fwd:" which we both know could catch legit email. I did a search from my MailScanner reporting and determined that nothing but spam was coming in with that for the past 7 days so I felt ok to use it for a day or two. I have since removed it.

Good luck and let me know if you need anything else.

--
bigj

 

[ncrossland]

bigj thanks very much for that

 

[CoolMike]

How are you using Sa-learn to feed spamassassin with spam?

Michael

 

[bigj]

I'm using Chirpy's MailScanner setup (www.configserver.com) so there is an option to run a report on all items marked as spam. I then run through them periodically and mark them as spam in large chunks.

The stuff that makes it through to my mailbox I move to a folder called spam and then run sa-learn on those as one large bundle every week or so.

--
bigj