Trouble Shooting Spam Score Changes

Revision as of 16:27, 8 October 2010 by Jhurley (talk | contribs) (Spam Score Changed After Migrating To A New System)

Within the upgrade process Zimbra will update the spam configuration files with the latest files that have been released by SpamAssassin, because of this your spam scores could change. Also any custom configuration to these files will be removed. We recommend making notes on all custom configuration.

How To Read Your Spam Scores

When the message triggers a policy it will be reported within the header within X-spam-Status:. The following is an example of a message that received a score of 10.535 which exceeded the 6.6 threshold.

      X-Spam-Flag: YES 
      X-Spam-Score: 10.535 
      X-Spam-Level: ********** 
      X-Spam-Status: Yes, score=10.535 tagged_above=-10 required=6.6 
            tests=[BAYES_50=0.8, DOS_OUTLOOK_TO_MX=2.845, HTML_MESSAGE=0.001, 
            MSGID_MULTIPLE_AT=0.001, RCVD_IN_BRBL_LASTEXT=1.449, RCVD_IN_PBL=3.335, 
            RCVD_IN_RP_RNBL=1.31, RCVD_IN_SORBS_DUL=0.001,RDNS_NONE=0.793] autolearn=no


When reading the X-Spam_Status there is a section called test. This section will list each test that was triggered by the message and the score that was applied by the test. Adding all the scores, will give you the total score. If this score exceeds the required score then the message will be marked as spam. In the example above the top four test that were triggered by this message were DOS_OUTLOOK_TO_MX, score of 2.845, RCVD_IN_BRBL_LASTEXT score of 1.449, RCVD_IN_PBL score of 3.335 and RCVD_IN_RP_RNBL score of 1.31 which has a total score of 8.939.

The following is a link of the rules that can be applied by the spam engine and their definitions:

      http://wiki.apache.org/spamassassin/Rules 

You will find the configuration files within:

      /opt/zimbra/conf/spamassassin 

Most of the scores are stored within 50.score.cf.

How To Decrease Spam Score on Internal IP addresses

There is no way to exclude internal IP addresses from being scanned by the spam filter, but you can configure the system to lower the score to prevent false positives for trusted IP addresses.

Within the salocal.cf file add the following line. You will find the salocal.cf file at /opt/zimbra/conf

       %%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%%

The above line will use the configuration that's configured within the zimbraMtaMyNetworks on the server.

       zmprov getServer <server> zimbraMtaMyNetworks

The following is a copy of the default salocal.cf

       # This is the right place to customize your installation of SpamAssassin.
       #
       # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
       # tweaked.
       #
       ###########################################################################
       #
       # rewrite_header Subject *****SPAM*****
       # report_safe 1
       # trusted_networks 212.17.35.
       # lock_method flock
       
       header DSPAM_SPAM X-DSPAM-Result =~ /^Spam$/
       describe DSPAM_SPAM DSPAM claims it is spam
       score DSPAM_SPAM 1.5
       
       header DSPAM_HAM X-DSPAM-Result =~ /^Innocent$/
       describe DSPAM_HAM DSPAM claims it is ham
       score DSPAM_HAM -0.5
       
       %%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%%
       %%uncomment VAR:zimbraMtaAntiSpamLockMethod%%lock_method %%zimbraMtaAntiSpamLockMethod%%
       
       rewrite_header Subject *SPAM* _STARS(*)_
       bayes_auto_learn 1
       bayes_min_spam_num 60
       bayes_min_ham_num 60
       clear_headers
       add_header spam Flag _YESNOCAPS_
       add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTS_ autolearn=_AUTOLEARN_ version=_VERSION_
       add_header all Level _STARS(*)_
       add_header all Checker-Version SpamAssassin _VERSION_ (_SUBVERSION_) on _HOSTNAME_


To change the default score for trusted network, you will need to edit the 50_score.cf and change the ALL_TRUSTED score. You will find this configuration file at /opt/zimbra/conf/spamassassin/. SpamAssassen default setting is -1, increasing this to -6 should be sufficient.

Once you have made this change, you will need to restart the spam filter for the change to take.

      zmantispamctl restart

All new messages coming from the internal networks should include a ALL_TRUSTED= <value> as listed below. If this is missing please verify the salocal.cf file.

      -Spam-Status: No, score=-4.299 tagged_above=-10 required=6. 
           tests=[ALL_TRUSTED=-6, BAYES_50=0.8, DKIM_ADSP_NXDOMAIN=0.9,
           NO_DNS_FOR_FROM=0.001] autolearn=no

Spam Score Changed After Migrating To A New System

When migrating from one server to another the SA files are not migrated.  To restore the old catch rate you can copy the files within the following two directories from the old to the new ZCS system. This step is only valid when the amavis/SA version are the same. We recommend as a precautionary step, backing up the files on the new system just in case  the files from the old system don't work.

      /opt/zimbra/amavisd/.spamassassin/init
      bayes_seen
      bayes_toks
      /opt/zimbra/data/amavisd/.spamassassin
      auto-whitelist
      auto-whitelist.mutex
      bayes.mutex
      bayes_journal
      bayes_seen
      bayes_toks 
Jump to: navigation, search