The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SpamAssassin 3.4 - Improvement with updates rules?

Discussion in 'E-mail Discussions' started by lorio, Nov 12, 2014.

  1. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Since 3.4 I haven't seen any difference in SPAM volume. The outcry of the outdated version Cpanel was using and the missing rule updates seem to be not the reason for the rising SPAM volume of the last month.

    Is there difference in 3.4 when it comes to upgrade vs. new installation. The out of the box installation seems to be ineffective for lowvolume emailserver.

    Wouldn't it be better to deactivate the bayes part completely? I don't see an effective way to train serverwide.
    And the -1.9 BAYES_00 is silly when the rest of SpamAssassins methods is showing it is SPAM.

    What is the way to go with many mailservers with lowlevel volume ( 1000-5000 mails per day)?

    Is cpanel dev/pm team members see room for improvement in terms of spam handling and bayes? Or is that just a lazy admin problem?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Please see the following feature request:

    Update to SpamAssassin 3.4.0 | cPanel Feature Requests

    In particular, this comment:

    Thank you.
     
  3. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    You answer too quick. More and more they will think "Should I post an answer? Eh, Michael will answer it anyway".

    I know this thread since I began participating in it two months ago. But participation rate is staying low in terms of exchange (not in terms "not working, help". Facebook is sucking away the energy to communicate in forums. We see provider which don't post outages in there forum but only on Facebook and Twitter.

    But I have to admit. The comment you pointed out was no longer in my mind. So thanks for the hint.
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    To put things into perspective, on a cPanel installation (or a standalone box) things like DCC / Razor2 / Pyzor / iXhash are not installed. It used to be that the addition of those things really made a huge difference in spam detection versus a typical spamassassin install. Nowadays, even with DCC / Razor2 / Pyzor / ixHash functioning as well as the use of RBLs like Zen / Barracuda, the spam arrives often with spam scores in the 1.x range.

    I suspect part of what is going to need to be done is some manual massaging of spam scores for certain rules. If memory serves me correctly, SpamAssassin doesn't even come shipped with the proper DCC.pm module -- it's outdated. So even if you are going to use DCC, you're not using the latest DCC.pm. And you want the latest DCC and you want to configure it properly so that it reports back to the DCC servers when you have spam that is triggering your spam scores. The distributed options really do help out, although not so much these days it seems.

    What hurts [from the standpoint of spamassassin on a cPanel server for example] is that user has their own Bayesian database, AWL [if you use it], etc. So a spam run could come in to 1000 of your email users, one spam per user, and it would not tilt heuristics in favor of the spam being spam, whereas if all accounts were using a central Bayesian database and DCC / Pyzor / Razor were acting upon one corpus of data instead of separate data for each user, the detection rates for spam would be quite a bit higher I believe.

    I have had SpamAssassin 3.4 installed on multiple standalone mail filtering boxes, and it made absolutely no appreciable difference in spam detection itself. The rules and methods used in 3.4 appear to be no more aggressive or effective than in previous versions. So nobody should get their hopes up that a simple change to spamassassin 3.4 will resolve their spam issues.

    I know ConfigServer's product uses a central Bayesian database, or at least I believe it does, which likely allows spam detection in that environment to be better. Of course they also use all of the distributed plugins that aren't installed by default on a cPanel box. That combination makes it more effective. With that said, I've heard reports that Mailscanner users are experiencing similar issues with the increase in spam.

    Bottom line is that spammers make a lot of money and thus have the motivation and resources to stay one step ahead of the game. It has always been like that. Nowadays the spammers are (a) performing single short spam runs (usually of high volume) from particular IP space and then moving on to other IP space to spam from, (b) making sure that the IP space they are using doesn't have a bad reputation to begin with, (c) are using all of the authentication methods of today, such as DKIM, DomainKeys, SPF/SenderID, DMARC. So you find that the spam runs occur from particular IP space that is not blocked by any of the common RBLs (like Zen or Barracuda). By the time the RBLs add the IP space [if they even do], the spammers are no longer using that IP space to spam from or won't be using it again for days or weeks. They might keep that IP space and spam from it again days or weeks later, but they don't do it often enough to get into an RBL long term and they spam in short [but very effective] bursts when they do use the IP space in order to remain off of the RBLs.

    I really suspect the only way to fight this battle using generic free software like Spamassassin is to use it in a distributed fashion [with all of the distributed mechanisms properly configured and reporting back to servers] as well as using a single Bayesian database instead of per-user ones and massaging default spam scores in key rules for things like DCC / Pyzor / Razor2.

    M
     
  5. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Just an FYI, after updating cPanel and Spamassassin, I noticed that it moved my /etc/mail/spamassassin/local.cf customizations to /etc/mail/spamassassin/local.cf.rpmsave and placed a new local.cf without the customizations in its place. So I needed to add back my rule adjustments, plugins, etc.

    I just wanted to note that since for anyone who has a lot of customizations, it could make your spam detection worse after upgrading.
     
Loading...

Share This Page