Mailing List Archive: A lot a false negatives

A lot a false negatives

Jan 19, 2022, 7:35 AM

Post #1 of 3 (297 views)

Hi,

My Thunderbird's Junk mailbox is full (75%) of spams, recognized by TB's
bayes engine, but not by SA's. They are quite often even scored as negatives

Despite the monthly use of sa_learn from Junk mailbox, spams keep being
not flagged.

Example a false negative :

> X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5.5
> tests=[.AWL=0.642, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
> DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
> HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1,
> MIME_QP_LONG_LINE=0.001, SPF_FAIL=0.001, SPF_HELO_NONE=0.001]
> autolearn=ham autolearn_force=no
versus a detected spam :

> X-Spam-Status: Yes, score=16.885 tagged_above=-999 required=5.5
> tests=[.ANY_PILL_PRICE=1, BAYES_60=1.5, DATE_IN_FUTURE_12_24=3.199,
> DRUGS_ERECTILE=1.994, DRUGS_ERECTILE_OBFU=1.109,
> GAPPY_LOW_CONTRAST=2.497, GAPPY_SUBJECT=0.1,
> HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001,
> T_SPF_PERMERROR=0.01, URIBL_ABUSE_SURBL=1.25, URIBL_DBL_SPAM=2.5,
> URIBL_SBL=1.623, URIBL_SBL_A=0.1] autolearn=spam autolearn_force=no

I use SA for more than 10 years, but in a very basic manner.

Is there some doc on how to harden SA ? Some useful plugins ? Bayes is
clearly not sufficient in my case

Thanks in advance

Regards

Xavier

--
Xavier HUMBERT
AMDH.FR - Infogérance - Architecte Réseaux et Systèmes
https://www.amdh.fr/

Re: A lot a false negatives [ In reply to ]

uhlar at fantomas

Jan 19, 2022, 8:25 AM

Post #2 of 3 (297 views)

Permalink

On 19.01.22 16:35, Xavier Humbert wrote:
>My Thunderbird's Junk mailbox is full (75%) of spams, recognized by
>TB's bayes engine, but not by SA's. They are quite often even scored
>as negatives
>
>Despite the monthly use of sa_learn from Junk mailbox, spams keep
>being not flagged.
>
>Example a false negative :
>
>>X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5.5
>> tests=[.AWL=0.642, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
>> DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
>> HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1,
>> MIME_QP_LONG_LINE=0.001, SPF_FAIL=0.001, SPF_HELO_NONE=0.001]
>> autolearn=ham autolearn_force=no

you need spamassassin training.
automatic training can easily lead to mistraining.
unfortunately, many mass-mailing providers are welcomelisted through many
DNSWLs and send mail that looks much like spam.

>I use SA for more than 10 years, but in a very basic manner.
>
>Is there some doc on how to harden SA ? Some useful plugins ? Bayes is
>clearly not sufficient in my case

using razor/pyzor/DCC helps much.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Your mouse has moved. Windows NT will now restart for changes to take
to take effect. [OK]

Re: A lot a false negatives [ In reply to ]

riccardo.alfieri at spamteq

Jan 19, 2022, 8:28 AM

Post #3 of 3 (297 views)

Permalink

On 19/01/22 16:35, Xavier Humbert wrote:

> X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5.5
>> tests=[.AWL=0.642, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
>> DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
>> HTML_IMAGE_RATIO_04=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1,
>> MIME_QP_LONG_LINE=0.001, SPF_FAIL=0.001, SPF_HELO_NONE=0.001]
>> autolearn=ham autolearn_force=no

It looks like your bayes db is poisoned/not trained correctly.

Best course of action, IMO, is to delete it and restart training from
scratch, with a decent corpus of ham and spam

--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/