I've started taking a proactive stance against spam and am trying to learn about all of the tools available to me. The first thing I did was tweak my SA score down to 3.7. It was down to around 3.2 for about a year but I was uncomfortable at that level.

Just recently I installed the EFM and I am tweaking that to handle the increasing amount of spam that gets by SA.

My question is why would a message have a score of zero? When I was reviewing some of my spam headers I see a no score issued by SA, for example:

Return-Path: <sana3x@lyricsmode.com>
Delivered-To: lhenry@my_domain.com
X-Spam-Checker-Version: SpamAssassin 3.2.5-gr0 (2008-06-10) by QuestScan
on Sun, 18 Apr 2010 18:30:18 +0000
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=3.7 tests=HTML_MESSAGE
autolearn=disabled version=3.2.5-gr0
Received: (fqmail 5054 invoked from network); 18 Apr 2010 18:30:18 -0000
Received: (qmail 25059 invoked from network); 18 Apr 2010 18:30:18 -0000
Received: from win7xp ([109.52.129.27])
by mx15.futurequest.net ([10.2.1.189])
with SMTP via TCP; 18 Apr 2010 18:30:17 -0000
Received: (qmail 3407 by uid 407); Sun, 18 Apr 2010 20:29:51 -0100
From: "Free ViagraAndCialis" <sana3x@lyricsmode.com>
To: <linda@my_domain.com>
Subject: Be rock hard 24/7
Date: Sun, 18 Apr 2010 20:25:33 -0100
Message-ID: <005601cadf35$e9f6b240$bde416c0$@com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0055_01CADF35.E9F6B240"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acjv+7PgA7XPBul0p9OFTMB7+5Hccw==
Content-Language: en-us


By the way, the message also contained a a word that was on my banned word list in the EFM but still came through, which has me scratching my head.

Lee

The only thing flagged by SpamAssassin was HTML_MESSAGE which carries a score of 0.001 and SA reports only to the the tenth...

If you take your "X-Spam-Status:" line and paste it into this decoder it will provide the tag and scoring for that tag:
http://www.futurequest.net/docs/SA/decode/

-Bob

Hi Bob,

So as I understand what your saying is that an email sent to me from: Free ViagraAndCialis [sana3x@lyricsmode.com] with a subject of: Be rock hard 24/7 and a body of: Chase away your bedroom blues http://climbdo.com
only scored of 0.001?

A simple minded person like me would think SA is being paid to look the other way on terms of Cialis and Viagra.

Lee take a look at this thread...
http://www.aota.net/forums/showthread.php?t=25488

-Bob

I've started taking a proactive stance against spam and am trying to learn about all of the tools available to me. The first thing I did was tweak my SA score down to 3.7. It was down to around 3.2 for about a year but I was uncomfortable at that level.


Trust your gut, Lee, your gut! :P

Seriously, SA is explicitly tuned to a cutoff of 5. Those dudes know what they're doing. Trust them. use the Force, the SA Force! :P

If you go below that, you will have a significantly higher FP rate ("FP" is Geekspeak for "False Positive", or, in English: killed Good Email).

One issue you should be alert to is that they're biased towards using Bayes, which is extremely impractical in a shared hosting environment.

Bayes drastically reduces one's FP rate. SA's tuning and stats assume you're using it. There is very little data available for a non-Bayes environment, and even less for a shared hosting, non-Bayes environment.

SpamAssassin was designed with the assumption it would be tuned to the "ham ecology" in which it is installed, which is not practical in a global install in a shared hosting environment (can you imagine poor Bruce hand tuning it for each of thousands of very different domains?!? Scary Monsters!).

The good news is that there are several FQ customers who are volunteers on the IpNation Team, and SpamAssassin "ham" summary data from some of their hand-classified data has been published:
http://IpNation.org/data/sa_fp_1.htm

That may be a bit confusing.
Just pick the cutoff you want to check out, then slide up it to the green line. Subtract that from "100", and that's the FP rate for that specific domain.

For example, in the first graph, if that domain admin was silly enough to use a cutoff of 3.0, they'd lose one in four good emails ( 25% ).
In the other two graphs, it would "only" be 7% and 5%.

With your old 3.2 cutoff, the FP rates would have been: 3.6% 4.9% 2.5%
With your new 3.7 cutoff, the FP rates would have been: 2% 3.4% 2%

Your domain is unique, and could be better or worse than those.

Those stats are a couple of years old, so things may be much better now, particularly with FQ's recent SA upgrade.
Stay tuned - those graphs will be updated soon!


Just recently I installed the EFM and I am tweaking that to handle the increasing amount of spam that gets by SA.

My question is why would a message have a score of zero? When I was reviewing some of my spam headers I see a no score issued by SA, for example:


I suspect the Bayes issue is part of why SA doesn't catch stuff like that.
Bayes systems handle that sort of thing extremely well.

Also remember that SpamAssassin is probably the most popular open source spam filter on the planet, so the less stupid spammers do test against it, and actively "game" it.

Things you can try:

Bayes add-on to your email client
run EFM before SpamAssassin (this will delay when the domain blocklists are run, which may increase their hit rate)
regularly monitor stuff getting thru, and add keywords to EFM
share the job of monitoring stuff, and share keywords with others


It's been my experience that about half of all spam missed by SpamAssasin can be blocked by testing for a few keywords in the Subject and From.Realname fields. These change frequently.

About 10% to 20% of the misses can be blocked by just testing for a few fake degree mill phone numbers.
Here's the ones that have been appearing this month:

3013963506
4072457320
7189895740
9164843706

That's in their "de-gapped" form. You'll have to check for their actual form/layout in your own spam (the filter I use automatically de-gaps for me).

Good luck! :P