Spam Issue

essential_mix · Post by **essential_mix** » Mon Mar 11, 2013 2:15 pm

Hello!
I am not sure that my antispam system working good. We have many spam email. Users trying to train system but this is not helped. I think training system doesnt work. I already checked all my configuration and cant find anything. Maybe you can help me. I would be appreciate for any answers.
This is what i have:
zmcontrol -v

Release 5.0.18_GA_3011.UBUNTU8 UBUNTU8 FOSS edition
zmlocalconfig | grep dspam

amavis_dspam_enabled = TRUE
more amavisd.conf.in | grep dspam

$path = '/opt/zimbra/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/opt/dspam/bin';

$dspam = 'dspam';

%%uncomment LOCAL:amavis_dspam_enabled%%$dspam = '/opt/zimbra/dspam/bin/dspam';
more amavisd.conf | grep dspam

$path = '/opt/zimbra/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin:/opt/dspam/bin';

$dspam = 'dspam';

$dspam = '/opt/zimbra/dspam/bin/dspam';
Header from email:

X-DSPAM-Result: Innocent

X-DSPAM-Confidence: 0.6458

X-DSPAM-Probability: 0.3542

X-DSPAM-Signature: 51391c36240491266285387

X-DSPAM-Factors: 27,

X-Virus-Scanned: amavisd-new at mydomain.com

X-Spam-Flag: NO

X-Spam-Score: -0.601

X-Spam-Level:

X-Spam-Status: No, score=-0.601 tagged_above=-10 required=4 tests=[AWL=0.280,

BAYES_00=-2.599, DSPAM_HAM=-0.5, SPF_PASS=-0.001,

TVD_SPACE_RATIO=2.219]

Log from training:

Starting spamassassin training.

netset: cannot include x.x.x.x/16 as it has already been included

netset: cannot include a.a.a.a/32 as it has already been included

netset: cannot include x.x.x.x/16 as it has already been included

netset: cannot include a.a.a.a/32 as it has already been included

Learned tokens from 4 message(s) (4 message(s) examined)

netset: cannot include x.x.x.x/16 as it has already been included

netset: cannot include a.a.a.a/32 as it has already been included

netset: cannot include x.x.x.x/16 as it has already been included

netset: cannot include a.a.a.a/32 as it has already been included

Learned tokens from 0 message(s) (0 message(s) examined)

netset: cannot include x.x.x.x/16 as it has already been included

netset: cannot include a.a.a.a/32 as it has already been included

netset: cannot include x.x.x.x/16 as it has already been included

netset: cannot include a.a.a.a/32 as it has already been included

bayes: synced databases from journal in 0 seconds: 2511 unique entries (2582 total entries)

Finished spamassassin training.

Starting dspam training

Taking Snapshot...

zimbra TP: 1401 TN: 33752 FP: 6 FN: 1432 SC: 0 NC: 0

Training /tmp/ham.KD27828 / /tmp/spam.Mo27825 corpora...

[test: spam ] /tmp/spam.Mo27825/13d5ad2f532-0 result: FAIL (Innocent)

[test: spam ] /tmp/spam.Mo27825/13d5ad2f532-1 result: FAIL (Innocent)

[test: spam ] /tmp/spam.Mo27825/13d5ad2f532-2 result: FAIL (Innocent)

[test: spam ] /tmp/spam.Mo27825/13d5ad2f532-3 result: FAIL (Innocent)

TRAINING COMPLETE
Training Snapshot:

zimbra TP: 0 TN: 4 FP: 0 FN: 4 SC: 0 NC: 0

SHR: 0.00% HSR: 0.00% OCA: 50.00%
Overall Statistics:

zimbra TP: 1401 TN: 33756 FP: 6 FN: 1436 SC: 0 NC: 0

SHR: 49.38% HSR: 0.02% OCA: 96.06%

Finished dspam training

L. Mark Stone · Post by **L. Mark Stone** » Tue Mar 12, 2013 10:38 am

Zimbra 5.0 is well past end of life. Spamassassin has received many updates since then. I am glad the system has been stable for you but the system you are running is not secure and in our view should be updated.
I'd suggest doing a Split Domain migration on a new server, with the new server as Primary:

Split Domain - Zimbra :: Wiki
Hope that helps,

Mark

essential_mix · Post by **essential_mix** » Tue Mar 12, 2013 11:36 am

[quote user="LMStone"]Zimbra 5.0 is well past end of life. Spamassassin has received many updates since then. I am glad the system has been stable for you but the system you are running is not secure and in our view should be updated.
I'd suggest doing a Split Domain migration on a new server, with the new server as Primary:

Split Domain - Zimbra :: Wiki
Hope that helps,

Mark[/QUOTE]

Thx for reply.
Is my logs from training normal? I mean row like "/tmp/spam.Mo27825/13d5ad2f532-0 result: FAIL (Innocent)". Why it is always FAIL?
And can i manualy update Spamassassin and Dspam at Zimbra 5?

10424bofh · Post by **10424bofh** » Wed Mar 13, 2013 7:09 am

Hello,
Yes you can update dspam (spamassasin i dont know)

and you HAVE TO UPDATE IT

you need even the trunk version (daly snapshot) instead of zimbras because zimbra is still using an old RC which cannot cleanup the hashdb

which leads to a massive bad behave of dspam
also please show me your dspam conf
you can also do a search about dspam and my username, i made a public simple shellscript to download and compile dspam correctly including a good config file for spam

all you have todo is set the symlink to the new version and edit the amavisd conf to give dspam higher scorings. that way you can let dspam takeover the spamhandling
also add the cron cleanupscript for the hash driver
can i ask how many users youre running on/mails per day you got?
dspam corretly configured runs awesome and ver agile, i personally set the scoring for dpsam so high that spamassasin almost has no authority anymore

together with greylistning (yes iam using it) we have no spam problem anymore

10424bofh · Post by **10424bofh** » Wed Mar 13, 2013 7:17 am

word of warning if you change essentials in the dpsam conf best is you shutdown, delete the dspam hash db and restart new - start over.

you cannot change tokens or algorythm without starting from scratch in the dspam.db
so its nothing you simply change to test, if youre not familiar how dspam works use my config and elt it run for a couple of weeks

if you know how dspam works - make your plan how you wanna run it and stay with it. everytime you change essentials you need to scratch the db
also keep an copy of the config because updaes by zimbra usually kills the old one (i always do a copy of config and data/dspam, make up upgrade, then stop zimbra again

replace both with my backup
matter of fact if you set it up right 95% of your needs can be served with dspam because its not really a antospam engine its an AI selflearning -

if you use sbph - its real massive and it can even prectict spam even its never saw that type of.
downside is its very powerful and leave a lot of different options for any kind of setup and infrastructure but you need to be very familar with it if you want to make your own configuration
pS: i worked with the project for a while, the maths behind are highend, its developt within an university so i dont think most of us can really understand how the math really works.

its one massive underated software.

)

essential_mix · Post by **essential_mix** » Wed Mar 13, 2013 3:34 pm

First of all thank you for your reply.
[QUOTE]Hello,
Yes you can update dspam (spamassasin i dont know)

and you HAVE TO UPDATE IT

you need even the trunk version (daly snapshot) instead of zimbras because zimbra is still using an old RC which cannot cleanup the hashdb

which leads to a massive bad behave of dspam[/QUOTE]

This is what i have for now:

/opt/zimbra/dspam/bin# ./dspam --version
DSPAM Anti-Spam Suite 3.10.2 (agent/library)
Copyright (C) 2002-2012 DSPAM Project

http://dspam.sourceforge.net.

[QUOTE]also please show me your dspam conf[/QUOTE]

dspam.conf:

## dspam.conf -- DSPAM configuration file

####################################################-----SYSTEM-----####################################

#Home /opt/zimbra/data/dspam

Home /var/dspam

StorageDriver /opt/dspam/lib/dspam/libmysql_drv.so

#StorageDriver /opt/zimbra/dspam/lib/dspam/libhash_drv.so

TrustedDeliveryAgent "no"

OnFail error

Trust root

Trust zimbra

LocalMX 127.0.0.1

WebStats off

SystemLog on

UserLog on

Opt out

Notifications off
####################################################-----ANALYSE-----####################################

# Acceptable values are: toe, tum, teft, notrain

TrainingMode toe

TestConditionalTraining on

Feature noise

#Feature tb=5

Feature whitelist

Algorithm graham burton

Tokenizer sbph

PValue markov

ProcessorURLContext on

ProcessorBias on

#MaxMessageSize 4194304

#ImprobabilityDrive on

#TrainPristine on

#DataSource document

#ProcessorWordFrequency occurrence
####################################################-----PREFERENCES-----####################################

#Preference "spamAction=quarantine"

Preference "signatureLocation=headers" # 'message' or 'headers'

Preference "showFactors=on"

Preference "spamAction=tag"

#Preference "spamSubject=SPAM"

AllowOverride trainingMode

AllowOverride spamAction spamSubject

AllowOverride statisticalSedation

AllowOverride enableBNR

AllowOverride enableWhitelist

AllowOverride signatureLocation

AllowOverride showFactors

AllowOverride optIn optOut

AllowOverride whitelistThreshold

####################################################-----DATABASE-----####################################

HashRecMax 6291469 #we use a big file here to prevent to much extents

HashAutoExtend on

HashMaxExtents 0 #endless extents

HashExtentSize 3145739 #use half of hasrecmax

HashPctIncrease 10

HashMaxSeek 100

HashConnectionCache 10

MySQLServer /opt/zimbra/db/mysql.sock

MySQLPort 7306

MySQLUser MYSQLUSER

MySQLPass MYSQLPASS

MySQLDb MYDSPAMDB

####################################################-----MAINTENANCE-----####################################

PurgeSignatures 14 # Stale signatures

PurgeNeutral 90 # Tokens with neutralish probabilities

PurgeUnused 90 # Unused tokens

PurgeHapaxes 30 # Tokens with less than 5 hits (hapaxes)

PurgeHits1S 15 # Tokens with only 1 spam hit

PurgeHits1I 15 # Tokens with only 1 innocent hit

####################################################-----IGNOREHEADER-----####################################

IgnoreHeader X-Spam-Status

IgnoreHeader X-Spam-Scanned

IgnoreHeader X-Virus-Scanner-Result

IgnoreHeader Accept-Language

IgnoreHeader Approved

IgnoreHeader Archive

IgnoreHeader Authentication-Results

IgnoreHeader Cache-Post-Path

IgnoreHeader Cancel-Key

IgnoreHeader Cancel-Lock

IgnoreHeader Complaints-To

IgnoreHeader Content-Description

IgnoreHeader Content-Disposition

IgnoreHeader Content-ID

IgnoreHeader Content-Language

IgnoreHeader Content-Return

IgnoreHeader Content-Transfer-Encoding

IgnoreHeader Content-Type

IgnoreHeader DKIM-Signature

IgnoreHeader Date

IgnoreHeader Disposition-Notification-To

IgnoreHeader DomainKey-Signature

IgnoreHeader Importance

IgnoreHeader In-Reply-To

IgnoreHeader Injection-Info

IgnoreHeader Lines

IgnoreHeader List-Archive

IgnoreHeader List-Help

IgnoreHeader List-Id

IgnoreHeader List-Post

IgnoreHeader List-Subscribe

IgnoreHeader List-Unsubscribe

IgnoreHeader Message-ID

IgnoreHeader Message-Id

IgnoreHeader NNTP-Posting-Date

IgnoreHeader NNTP-Posting-Host

IgnoreHeader Newsgroups

IgnoreHeader OpenPGP

IgnoreHeader Organization

IgnoreHeader Originator

IgnoreHeader PGP-ID

IgnoreHeader Path

IgnoreHeader Received

IgnoreHeader Received-SPF

IgnoreHeader References

IgnoreHeader Reply-To

IgnoreHeader Resent-Date

IgnoreHeader Resent-From

IgnoreHeader Resent-Message-ID

IgnoreHeader Thread-Index

IgnoreHeader Thread-Topic

IgnoreHeader User-Agent

IgnoreHeader X--MailScanner-SpamCheck

IgnoreHeader X-AV-Scanned

IgnoreHeader X-AV-Scanned

IgnoreHeader X-AVAS-Spam-Level

IgnoreHeader X-AVAS-Spam-Score

IgnoreHeader X-AVAS-Spam-Status

IgnoreHeader X-AVAS-Spam-Symbols

IgnoreHeader X-AVAS-Virus-Status

IgnoreHeader X-AVK-Virus-Check

IgnoreHeader X-Abuse

IgnoreHeader X-Abuse-Contact

IgnoreHeader X-Abuse-Info

IgnoreHeader X-Abuse-Management

IgnoreHeader X-Abuse-To

IgnoreHeader X-Abuse-and-DMCA-Info

IgnoreHeader X-Accept-Language

IgnoreHeader X-Admission-MailScanner-SpamCheck

IgnoreHeader X-Admission-MailScanner-SpamScore

IgnoreHeader X-Amavis-Alert

IgnoreHeader X-Amavis-Hold

IgnoreHeader X-Amavis-Modified

IgnoreHeader X-Amavis-OS-Fingerprint

IgnoreHeader X-Amavis-PenPals

IgnoreHeader X-Amavis-PolicyBank

IgnoreHeader X-AntiVirus

IgnoreHeader X-Antispam

IgnoreHeader X-Antivirus

IgnoreHeader X-Antivirus-Scanner

IgnoreHeader X-Antivirus-Status

IgnoreHeader X-Archive

IgnoreHeader X-Assp-Spam-Prob

IgnoreHeader X-Attention

IgnoreHeader X-BTI-AntiSpam

IgnoreHeader X-Barracuda

IgnoreHeader X-Barracuda-Bayes

IgnoreHeader X-Barracuda-Spam-Flag

IgnoreHeader X-Barracuda-Spam-Report

IgnoreHeader X-Barracuda-Spam-Score

IgnoreHeader X-Barracuda-Spam-Status

IgnoreHeader X-Barracuda-Virus-Scanned

IgnoreHeader X-BeenThere

IgnoreHeader X-Bogosity

IgnoreHeader X-Brightmail-Tracker

IgnoreHeader X-CRM114-CacheID

IgnoreHeader X-CRM114-Status

IgnoreHeader X-CRM114-Version

IgnoreHeader X-CTASD-IP

IgnoreHeader X-CTASD-RefID

IgnoreHeader X-CTASD-Sender

IgnoreHeader X-Cache

IgnoreHeader X-ClamAntiVirus-Scanner

IgnoreHeader X-Comment-To

IgnoreHeader X-Comments

IgnoreHeader X-Complaints

IgnoreHeader X-Complaints-Info

IgnoreHeader X-Complaints-To

IgnoreHeader X-DKIM

IgnoreHeader X-DMCA-Complaints-To

IgnoreHeader X-DMCA-Notifications

IgnoreHeader X-Despammed-Tracer

IgnoreHeader X-ELTE-SpamCheck

IgnoreHeader X-ELTE-SpamCheck-Details

IgnoreHeader X-ELTE-SpamScore

IgnoreHeader X-ELTE-SpamVersion

IgnoreHeader X-ELTE-VirusStatus

IgnoreHeader X-Enigmail-Supports

IgnoreHeader X-Enigmail-Version

IgnoreHeader X-Evolution-Source

IgnoreHeader X-Extra-Info

IgnoreHeader X-FSFE-MailScanner

IgnoreHeader X-FSFE-MailScanner-From

IgnoreHeader X-Face

IgnoreHeader X-Fellowship-MailScanner

IgnoreHeader X-Fellowship-MailScanner-From

IgnoreHeader X-Forwarded

IgnoreHeader X-GMX-Antispam

IgnoreHeader X-GMX-Antivirus

IgnoreHeader X-GPG-Fingerprint

IgnoreHeader X-GPG-Key-ID

IgnoreHeader X-GPS-DegDec

IgnoreHeader X-GPS-MGRS

IgnoreHeader X-GWSPAM

IgnoreHeader X-Gateway

IgnoreHeader X-Greylist

IgnoreHeader X-HTMLM

IgnoreHeader X-HTMLM-Info

IgnoreHeader X-HTMLM-Score

IgnoreHeader X-HTTP-Posting-Host

IgnoreHeader X-HTTP-UserAgent

IgnoreHeader X-HTTP-Via

IgnoreHeader X-Headers-End

IgnoreHeader X-ID

IgnoreHeader X-IMAIL-SPAM-STATISTICS

IgnoreHeader X-IMAIL-SPAM-URL-DBL

IgnoreHeader X-IMAIL-SPAM-VALFROM

IgnoreHeader X-IMAIL-SPAM-VALHELO

IgnoreHeader X-IMAIL-SPAM-VALREVDNS

IgnoreHeader X-Info

IgnoreHeader X-IronPort-Anti-Spam-Filtered

IgnoreHeader X-IronPort-Anti-Spam-Result

IgnoreHeader X-KSV-Antispam

IgnoreHeader X-Kaspersky-Antivirus

IgnoreHeader X-MDAV-Processed

IgnoreHeader X-MDRemoteIP

IgnoreHeader X-MDaemon-Deliver-To

IgnoreHeader X-MIE-MailScanner-SpamCheck

IgnoreHeader X-MIMEOLE

IgnoreHeader X-MIMETrack

IgnoreHeader X-MMS-Spam-Filter-ID

IgnoreHeader X-MS-Has-Attach

IgnoreHeader X-MS-TNEF-Correlator

IgnoreHeader X-MSMail-Priority

IgnoreHeader X-MailScanner

IgnoreHeader X-MailScanner-Information

IgnoreHeader X-MailScanner-SpamCheck

IgnoreHeader X-Mailer

IgnoreHeader X-Mailman-Version

IgnoreHeader X-Mlf-Spam-Status

IgnoreHeader X-NAI-Spam-Checker-Version

IgnoreHeader X-NAI-Spam-Flag

IgnoreHeader X-NAI-Spam-Level

IgnoreHeader X-NAI-Spam-Report

IgnoreHeader X-NAI-Spam-Route

IgnoreHeader X-NAI-Spam-Rules

IgnoreHeader X-NAI-Spam-Score

IgnoreHeader X-NAI-Spam-Threshold

IgnoreHeader X-NEWT-spamscore

IgnoreHeader X-NNTP-Posting-Date

IgnoreHeader X-NNTP-Posting-Host

IgnoreHeader X-NetcoreISpam1-ECMScanner

IgnoreHeader X-NetcoreISpam1-ECMScanner-From

IgnoreHeader X-NetcoreISpam1-ECMScanner-Information

IgnoreHeader X-NetcoreISpam1-ECMScanner-SpamCheck

IgnoreHeader X-NetcoreISpam1-ECMScanner-SpamScore

IgnoreHeader X-Newsreader

IgnoreHeader X-Newsserver

IgnoreHeader X-No-Archive

IgnoreHeader X-No-Spam

IgnoreHeader X-OSBF-Lua-Score

IgnoreHeader X-OWM-SpamCheck

IgnoreHeader X-OWM-VirusCheck

IgnoreHeader X-Olypen-Virus

IgnoreHeader X-Orig-Path

IgnoreHeader X-OriginalArrivalTime

IgnoreHeader X-Originating-IP

IgnoreHeader X-PAA-AntiVirus

IgnoreHeader X-PAA-AntiVirus-Message

IgnoreHeader X-PGP-Fingerprint

IgnoreHeader X-PGP-Hash

IgnoreHeader X-PGP-ID

IgnoreHeader X-PGP-Key

IgnoreHeader X-PGP-Key-Fingerprint

IgnoreHeader X-PGP-KeyID

IgnoreHeader X-PGP-Sig

IgnoreHeader X-PIRONET-NDH-MailScanner-SpamCheck

IgnoreHeader X-PIRONET-NDH-MailScanner-SpamScore

IgnoreHeader X-PMX

IgnoreHeader X-PMX-Version

IgnoreHeader X-PN-SPAMFiltered

IgnoreHeader X-Posting-Agent

IgnoreHeader X-Posting-ID

IgnoreHeader X-Posting-IP

IgnoreHeader X-Priority

IgnoreHeader X-Proofpoint-Spam-Details

IgnoreHeader X-Qmail-Scanner-1.25st

IgnoreHeader X-Quarantine-ID

IgnoreHeader X-RAV-AntiVirus

IgnoreHeader X-RITmySpam

IgnoreHeader X-RITmySpam-IP

IgnoreHeader X-RITmySpam-Spam

IgnoreHeader X-Rc-Spam

IgnoreHeader X-Rc-Virus

IgnoreHeader X-Received-Date

IgnoreHeader X-RedHat-Spam-Score

IgnoreHeader X-RedHat-Spam-Warning

IgnoreHeader X-RegEx

IgnoreHeader X-RegEx-Score

IgnoreHeader X-Rocket-Spam

IgnoreHeader X-SA-GROUP

IgnoreHeader X-SA-RECEIPTSTATUS

IgnoreHeader X-STA-NotSpam

IgnoreHeader X-STA-Spam

IgnoreHeader X-Scam-grey

IgnoreHeader X-Scanned-By

IgnoreHeader X-Sender

IgnoreHeader X-SenderID

IgnoreHeader X-Sohu-Antivirus

IgnoreHeader X-Spam

IgnoreHeader X-Spam-ASN

IgnoreHeader X-Spam-ASN

IgnoreHeader X-Spam-Check

IgnoreHeader X-Spam-Checked-By

IgnoreHeader X-Spam-Checker

IgnoreHeader X-Spam-Checker-Version

IgnoreHeader X-Spam-Clean

IgnoreHeader X-Spam-DCC

IgnoreHeader X-Spam-Details

IgnoreHeader X-Spam-Filter

IgnoreHeader X-Spam-Filtered

IgnoreHeader X-Spam-Flag

IgnoreHeader X-Spam-Level

IgnoreHeader X-Spam-OrigSender

IgnoreHeader X-Spam-Pct

IgnoreHeader X-Spam-Prev-Subject

IgnoreHeader X-Spam-Processed

IgnoreHeader X-Spam-Pyzor

IgnoreHeader X-Spam-Rating

IgnoreHeader X-Spam-Report

IgnoreHeader X-Spam-Scanned

IgnoreHeader X-Spam-Score

IgnoreHeader X-Spam-Status

IgnoreHeader X-Spam-Tagged

IgnoreHeader X-Spam-Tests

IgnoreHeader X-Spam-Tests-Failed

IgnoreHeader X-Spam-Virus

IgnoreHeader X-Spam-Warning

IgnoreHeader X-Spam-detection-level

IgnoreHeader X-SpamAssassin-Clean

IgnoreHeader X-SpamAssassin-Warning

IgnoreHeader X-SpamBouncer

IgnoreHeader X-SpamCatcher-Score

IgnoreHeader X-SpamCop-Checked

IgnoreHeader X-SpamCop-Disposition

IgnoreHeader X-SpamCop-Whitelisted

IgnoreHeader X-SpamDetected

IgnoreHeader X-SpamInfo

IgnoreHeader X-SpamPal

IgnoreHeader X-SpamPal-Timeout

IgnoreHeader X-SpamReason

IgnoreHeader X-SpamScore

IgnoreHeader X-SpamTest-Categories

IgnoreHeader X-SpamTest-Info

IgnoreHeader X-SpamTest-Method

IgnoreHeader X-SpamTest-Status

IgnoreHeader X-SpamTest-Version

IgnoreHeader X-Spamadvice

IgnoreHeader X-Spamarrest-noauth

IgnoreHeader X-Spamarrest-speedcode

IgnoreHeader X-Spambayes-Classification

IgnoreHeader X-Spamcount

IgnoreHeader X-Spamsensitivity

IgnoreHeader X-TERRACE-SPAMMARK

IgnoreHeader X-TERRACE-SPAMRATE

IgnoreHeader X-TM-AS-Category-Info

IgnoreHeader X-TM-AS-MatchedID

IgnoreHeader X-TM-AS-Product-Ver

IgnoreHeader X-TM-AS-Result

IgnoreHeader X-TMWD-Spam-Summary

IgnoreHeader X-TNEFEvaluated

IgnoreHeader X-Text-Classification

IgnoreHeader X-Text-Classification-Data

IgnoreHeader X-Trace

IgnoreHeader X-UCD-Spam-Score

IgnoreHeader X-User-Agent

IgnoreHeader X-User-ID

IgnoreHeader X-User-System

IgnoreHeader X-Virus-Check

IgnoreHeader X-Virus-Checked

IgnoreHeader X-Virus-Checker-Version

IgnoreHeader X-Virus-Scan

IgnoreHeader X-Virus-Scanned

IgnoreHeader X-Virus-Scanner

IgnoreHeader X-Virus-Scanner-Result

IgnoreHeader X-Virus-Status

IgnoreHeader X-VirusChecked

IgnoreHeader X-Virusscan

IgnoreHeader X-WSS-ID

IgnoreHeader X-WinProxy-AntiVirus

IgnoreHeader X-WinProxy-AntiVirus-Message

IgnoreHeader X-Yandex-Forward

IgnoreHeader X-Yandex-Front

IgnoreHeader X-Yandex-Spam

IgnoreHeader X-Yandex-TimeMark

IgnoreHeader X-cid

IgnoreHeader X-iHateSpam-Checked

IgnoreHeader X-iHateSpam-Quarantined

IgnoreHeader X-policyd-weight

IgnoreHeader X-purgate

IgnoreHeader X-purgate-Ad

IgnoreHeader X-purgate-ID

IgnoreHeader X-sgxh1

IgnoreHeader X-to-viruscore

IgnoreHeader Xref

IgnoreHeader acceptlanguage

IgnoreHeader thread-index

IgnoreHeader x-uscspam

## EOF

[QUOTE]you can also do a search about dspam and my username, i made a public simple shellscript to download and compile dspam correctly including a good config file for spam

all you have todo is set the symlink to the new version and edit the amavisd conf to give dspam higher scorings. that way you can let dspam takeover the spamhandling
also add the cron cleanupscript for the hash driver[/QUOTE]

I am not sure that i have correct config at amavisd.conf
[QUOTE]can i ask how many users youre running on/mails per day you got?[/QUOTE]
We have something like 20 active users. and 400-700 mails.
[QUOTE]dspam corretly configured runs awesome and ver agile, i personally set the scoring for dpsam so high that spamassasin almost has no authority anymore

together with greylistning (yes iam using it) we have no spam problem anymore[/QUOTE]

essential_mix · Post by **essential_mix** » Mon Mar 18, 2013 3:12 am

anybody have ideas?

10424bofh · Post by **10424bofh** » Wed Apr 03, 2013 3:43 am

Hello,
ah looks like you found my thread at http://www.zimbra.com/forums/administra ... howto.html

at least i feel like iam used to your config file

)
Ok so lets begin -

1 .did you run the cronjob to clena up the hash db?

if so fine

2. when you aplied the new config did you delete the dspam data file - if not uhg you have to

because you cannot mix 2 different configs within one hashdb - just for the record

i assume you did
3. your version should be fine i think in 3.20.2 the hash cleanup thing is fixed

run those 2 to be shure - if no error trown your version of dspam is good

/opt/zimbra/dspam/bin/cssclean /opt/zimbra/data/dspam/data/z/i/zimbra/zimbra.css

/opt/zimbra/dspam/bin/csscompress /opt/zimbra/data/dspam/data/z/i/zimbra/zimbra.css

So if those steps above are set dspam should run fine - now lets find out

i guess its amavisd - i do not change the amavisd.conf i change amavis itself adjusting the score dspam gets there

and give it almost total authority - but lets make shure dpsam runs fine first
please post me the email headers of one spam and one not spam

its enough to copy just the xdspam tags on top of the mail

like
X-DSPAM-Result: Innocent

X-DSPAM-Class: Innocent

X-DSPAM-Confidence: 0.70

X-DSPAM-Probability: 0.2977

X-DSPAM-Signature: N/A

X-Virus-Scanned: amavisd-new at server.blabla.org
spam looks like this
X-DSPAM-Result: Spam

X-DSPAM-Class: Spam

X-DSPAM-Confidence: 0.96

X-DSPAM-Probability: 0.9623

X-DSPAM-Signature: N/A

X-Virus-Scanned: amavisd-new at mail.blabla.org

X-Spam-Score: 15.526

X-Spam-Level: ***************

X-Spam-Status: Yes, score=15.526 tagged_above=-10 required=10

just for maybe someone else stumple on to that topi - youll find that at right mouseclick on a mail - show original

on top those lines should stand out
please post the results so we can check if dspam works correctly or not

- best would be

1 classified as spam which is actually spam (right positive)

1 classified as spam which is NOT spam (false positive)
1 classified as notspam which is actually spam (false negative)

1 classified as notspam which is not spam (right negative)
each of those the x-dspam and xspam headers please

ther we can verify what the filter does and what not.

10424bofh · Post by **10424bofh** » Wed Apr 03, 2013 3:50 am

just for the record

X-DSPAM-Confidence: 0.96

X-DSPAM-Probability: 0.9623
The First Number means how much confident dspam is in the second number
so in this case dspam is shure for 96% that this mail at 65.2% spam

if its like

confidece 0.5

probability: 0.842

would mean dspam give it a 50 / 50 chance that this might be a spam probability of 84%

so we have not only one number (spam proability) but also the chance that his proability is correct - because dpsam knows it can be mistaken

)