Jump to content
misnomer

Did Something Change?

Recommended Posts

I was doing really well with keeping spam in check and suddenly about 2 days ago I started getting floods of 50 at a time (several times a day), most with Netsky.

 

I havent used the email from my site for much of anything so it can't be that I gave it to someone who harvested it. I have only two specific names I was getting mail for and I have spam assain set.

 

On my machine I also run virus software but Netsky is a slippery one. It got so bad I had to fully shut down my incoming email.

 

I'm wondering if you guys changed anything in the past week or so? Much of the email was also addressed to my server name rather than my site name. ;)

 

Any insight is appreciated

 

-Jill

Share this post


Link to post
Share on other sites

Nothing has changed. I have been having similar issues lately. It is an address that I dont use often but it was found by the spammer and I have been getting hit pretty hard.

Share this post


Link to post
Share on other sites

I think the holidays bring the spammers out in full force. Especially those selling fake rolex watches. Bah. Humbug.

Share this post


Link to post
Share on other sites

I've been having the same problem, and did a little investigating.

 

In my headers, the BAYES_99 rule is showing up a lot, yet the spam scores are still very low (in the 2's)

 

[NOTE: the following all implies that you have spamassassin 3 installed]

 

Looking at the spamassassin defaults, BAYES_99 is set to "0 0 4.070 1.886" which means:

 

local = 0

net = 0

with bayes = 4.070

with bayes+net = 1.886

 

Now take an example email I just got:

X-Spam-Status: No, score=2.7 required=4.1 tests=BAYES_99,HTML_80_90,

HTML_IMAGE_ONLY_20,HTML_IMAGE_RATIO_06,HTML_MESSAGE,

HTML_TEXT_AFTER_BODY,HTML_TEXT_AFTER_HTML,TO_ADDRESS_EQ_REAL

 

BAYES_99: 0 0 4.070 1.886

HTML_80_90: 0.027 0 0.036 0.146

HTML_IMAGE_ONLY_20: 1.567 0.843 1.023 0.446

HTML_IMAGE_RATIO_06: 0.072 0 0.342 0.131

HTML_MESSAGE: 0.001

HTML_TEXT_AFTER_BODY: 0.263 0.151 0.752 0.061

HTML_TEXT_AFTER_HTML: 0.312 0.205 0.032 0.031

TO_ADDRESS_EQ_REAL: 0 0.470 0.131 0.026

 

If you add them up, the "local" scores = 2.7

 

Based on this, it is clear that Bayes is turned off (at least for me) and I am going to re-enable it by adding "use_bayes 1" to my config file.

 

I'll report back on how it goes....

Share this post


Link to post
Share on other sites

Unfortunately......if you add up the bayes+net scores you ALSO get 2.7

 

So my hunch was incorrect....

 

Back to the drawing board. I am thinking of bumping up my BAYES_99 score.

Share this post


Link to post
Share on other sites

By your Server Name, you are talking about "user@serverxx.totalchoicehosting.com", correct?

If this is the case, then it would appear to me that someone on your server has possibly been infected.

Since it costs you nothing but a couple of minutes of time, maybe you should open a service ticket to make sure the techs check it out, as they will have access to the email logs and be able to see if my hunch is correct. And possibly save a major problem in the near future.

Share this post


Link to post
Share on other sites

It's been a week since the change, and I am happy to report that bumping up my BAYES_99 score really did the trick.

 

Now I use:

score BAYES_99 3

 

And my threshold is 4.1

Share this post


Link to post
Share on other sites

Hey hruska. I'd love to get a step-by-step of how you changed the Bayes score. I'd like to tweak my own settings, but I'm not really sure where to start. If there is another tutorial somewhere that I've overlooked, maybe someone can point me to it.

 

Thanks!

-John

Share this post


Link to post
Share on other sites

I don't have a tutorial handy, but can tell you how to change at least that field.

 

Go into cpanel and run File Manager. Navigate to the .spamassassin directory and you will see a file called user_prefs

 

You will see that it has info in it such as your current required hits, etc...

 

Simplay add the line:

score BAYES_99 3

 

and save it. Of course, you can alter the "3" to whatever you want. My threshold is currently 4.1 and I found 3 to be right for me.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...