Results 1 to 8 of 8

Thread: Increased Spam detection

  1. #1
    Join Date
    Nov 2006
    Location
    Minneapolis, MN
    Posts
    101
    Rep Power
    8

    Default Increased Spam detection

    I have one user who has seen an increase in "Suspect" spam messages, and these messages are actually false positives. Some of these messages are being tagged only a day after this user replied to original sender and the earlier msgs were not tagged as suspect.
    How can I reset this user, so he doesn't get the false positives as frequently?
    (He has not gotten used to checking spam folder after three years with Zimbra...this is not the time to start remedial training...
    Thanks. Hope this makes sense.
    rickvv
    Last edited by rickvv; 04-26-2010 at 09:37 AM. Reason: spelling

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Unfortunately you cannot as the Bayes database is shared between all users. What we could really do with seeing is the headers from one of those emails. I could be that another rule is triggering; and not actually the Bayes scoring them incorrectly.

  3. #3
    Join Date
    Nov 2006
    Location
    Minneapolis, MN
    Posts
    101
    Rep Power
    8

    Default

    Found the headers. This seems to be the first one that the user didn't send to himself. I have another from one day previous that user sent to himself that was tagged
    Return-Path: bounce@sminbound.zappos.com
    Received: from smtp.creativelights.com (LHLO smtp.creativelights.com)
    (10.0.0.1) by smtp.creativelights.com with LMTP; Sun, 25 Apr 2010 10:06:02
    -0500 (CDT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by smtp.creativelights.com (Postfix) with ESMTP id B20C59AEB91
    for <michael@creative-lighting.com>; Sun, 25 Apr 2010 10:06:02 -0500 (CDT)
    X-Virus-Scanned: amavisd-new at
    X-Spam-Flag: YES
    X-Spam-Score: 6.211
    X-Spam-Level: ******
    X-Spam-Status: Yes, score=6.211 tagged_above=-10 required=5.4
    tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13,
    DNS_FROM_RFC_DSN=1.495, FH_DATE_PAST_20XX=3.188, HTML_MESSAGE=0.001,
    MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
    Received: from smtp.creativelights.com ([127.0.0.1])
    by localhost (smtp.creativelights.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id jc6XGKoWm0QP for <michael@creative-lighting.com>;
    Sun, 25 Apr 2010 10:05:49 -0500 (CDT)
    Received: from mta1.zappos.com (mta1.zappos.com [208.91.37.20])
    by smtp.creativelights.com (Postfix) with ESMTP id E4E4A9AE8D9
    for <michael@creative-lighting.com>; Sun, 25 Apr 2010 10:05:47 -0500 (CDT)
    Received: from zappos.com ([192.168.66.150])
    by mta1.zappos.com (StrongMail Enterprise 4.1.2(4.1.2-51177)); Sun, 25 Apr 2010 07:53:53 -0700
    X-VirtualServer: zappos, mta1.zappos.com, 192.168.66.222
    X-VirtualServerGroup: zappos
    X-MailingID: 1219874987::129008::1271035955::60800::35910::3591 0
    X-SMHeaderMap: mid="X-MailingID"
    X-Mailer: StrongMail Enterprise 4.1.2(4.1.2-51177)
    X-Destination-ID: michael@creative-lighting.com
    X-SMFBL: bWljaGFlbEBjcmVhdGl2ZS1saWdodGluZy5jb20=
    DomainKey-Signature: a=rsa-sha1;
    c=nofws;
    s=sm;
    d=zappos.com;
    q=dns;
    b=GwlTpcd6vBLRx+KKAYUmr71HG6OAqdn3zrgx87sQKafpYtf7 +3L8hrhJlg1083GlENsiYFA4/TjK8ripYccXtGjScp0nCn4omJZIAJjx1C0tQ8nhnUodLSXAS+F vlVhS4oCByWZI1Tsq7mqLY4xPNy5DYzrcfbNOmDzufZ6j6uc=
    DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=zappos.com; s=sm;
    i=@zappos.com; h=Content-Transfer-Encoding:Content-Type:Reply-To:
    MIME-Version:Message-ID:Subjectate:To:From; bh=rCeaaU0rCvpzU36
    yvc+4UB07gtc=; b=p42nZq0rit8Z46eYDa6D0/Yqj0mg0O3yA02cGk2GRojgcfF
    amxFGY4nNdWlgN7CfPGUOJwMyTQZlS5VdgH2Uy1ggS3OMWcV09 3OYoCRYQk/Wrpj
    08B3Y2bsfG9Ag8pDNDZLqdg1i31hwEpT7ucv6pH12UPDWdEZrP WHRjbHANhs=
    Content-Transfer-Encoding: 7bit
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_0FF_C71C_7ABF196A.5E4DB968"
    Reply-To: <customerservice@zappos.com>
    MIME-Version: 1.0
    Message-ID: <1219874987.35910@zappos.com>
    Subject: [SUSPECT]Your Zappos.com Password
    Date: Sun, 25 Apr 2010 07:53:39 -0700
    To: michael@creative-lighting.com
    From: Zappos.com <customerservice@zappos.com>


    ------=_NextPart_0FF_C71C_7ABF196A.5E4DB968
    Content-Type: text/plain;
    charset="UTF-8"
    Content-Transfer-Encoding: quoted-printable
    Content-Disposition: inline


    Quote Originally Posted by uxbod View Post
    Unfortunately you cannot as the Bayes database is shared between all users. What we could really do with seeing is the headers from one of those emails. I could be that another rule is triggering; and not actually the Bayes scoring them incorrectly.
    Last edited by rickvv; 04-27-2010 at 05:53 AM. Reason: found headers

  4. #4
    Join Date
    Nov 2006
    Location
    Minneapolis, MN
    Posts
    101
    Rep Power
    8

    Default

    Here's one that user sent to himself via a Zimbra DistributionList. AMAvis tagged it? (Hmm...something about "FH_DATE_PAST_20XX=3.188" looks suspicious. Would this be the time setting on his laptop?)
    ===
    Return-Path: michael@creative-lighting.com
    Received: from smtp.creativelights.com (LHLO smtp.creativelights.com)
    (10.0.0.1) by smtp.creativelights.com with LMTP; Sat, 24 Apr 2010 12:59:42
    -0500 (CDT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
    by smtp.creativelights.com (Postfix) with ESMTP id 71B03114069;
    Sat, 24 Apr 2010 12:59:42 -0500 (CDT)
    X-Virus-Scanned: amavisd-new at
    X-Spam-Flag: YES
    X-Spam-Score: 5.831
    X-Spam-Level: *****
    X-Spam-Status: Yes, score=5.831 tagged_above=-10 required=5.4
    tests=[AWL=0.370, BAYES_20=-0.74, DNS_FROM_OPENWHOIS=1.13,
    FH_DATE_PAST_20XX=3.188, HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905,
    RCVD_IN_SORBS_DUL=0.877, RDNS_NONE=0.1]
    Received: from smtp.creativelights.com ([127.0.0.1])
    by localhost (smtp.creativelights.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id BK3j0wmVWNoS; Sat, 24 Apr 2010 12:59:33 -0500 (CDT)
    Received: from smtp.creativelights.com (localhost.localdomain [127.0.0.1])
    by smtp.creativelights.com (Postfix) with ESMTP id 2E95A11404F
    for <allsales@creative-lighting.com>; Sat, 24 Apr 2010 12:59:33 -0500 (CDT)
    Date: Sat, 24 Apr 2010 12:59:33 -0500 (CDT)
    From: Michael Minsberg <michael@creative-lighting.com>
    To: AllSales <allsales@creative-lighting.com>
    Message-ID: <20370157.41272131510203.JavaMail.SYSTEM@acerlap >
    In-Reply-To: <880813.748601272127256648.JavaMail.root@smtp>
    Subject: [SUSPECT]Fwd: recessed and track lighting
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
    boundary="----=_Part_4_19318917.1272131510187"
    X-Originating-IP: [75.161.143.120]

    ------=_Part_4_19318917.1272131510187
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 7bit

  5. #5
    Join Date
    Jun 2007
    Location
    Halmstad, Sweden
    Posts
    58
    Rep Power
    8

    Default

    You suffer from two known bugs in SPAM-detection (FH_DATE_PAST_20XX=3.188) and (DNS_FROM_OPENWHOIS=1.13).

    See the Sticky thread in this forum "[SOLVED] FH_DATE_PAST_20XX - Spamassassin bug - incorrect tagging from Jan 1, 2010" and seach forums/bugzilla for DNS_FROM_OPENWHOIS.

    Bugid:45625 - Bug 45625 &ndash; remove OPENWHOIS references from spamassasin config

  6. #6
    Join Date
    Nov 2006
    Location
    Minneapolis, MN
    Posts
    101
    Rep Power
    8

    Default

    One more thing. User is on ZimbraDesktop client, not standard Web client.
    Sorry to have left that out. Make a difference?
    (I've just asked user to give me time/date from his laptop).
    rickvv

  7. #7
    Join Date
    Nov 2006
    Location
    Minneapolis, MN
    Posts
    101
    Rep Power
    8

    Default

    I just googled that FH_DATE_PAST tag.
    I'll look at what I need to do.
    Might be a good time to take my Zimbra up to 6.x
    Thanks,
    rickvv

    Quote Originally Posted by moren View Post
    You suffer from two known bugs in SPAM-detection (FH_DATE_PAST_20XX=3.188) and (DNS_FROM_OPENWHOIS=1.13).

    See the Sticky thread in this forum "[SOLVED] FH_DATE_PAST_20XX - Spamassassin bug - incorrect tagging from Jan 1, 2010" and seach forums/bugzilla for DNS_FROM_OPENWHOIS.

  8. #8
    Join Date
    Jun 2007
    Location
    Halmstad, Sweden
    Posts
    58
    Rep Power
    8

    Default

    In the treads there are quick "work arounds" to fix this before upgrade. ie set FH_DATE_PAST_20XX score to 0.0 and for the openwhios there are ways to stop using the obsolete openwhois service.

Similar Threads

  1. Most of mails showing SPAM & discarded
    By siw919 in forum Administrators
    Replies: 27
    Last Post: 01-12-2010, 12:53 PM
  2. Zimbra as Anti Spam, How to Sanitize False Detection
    By vavai in forum Administrators
    Replies: 0
    Last Post: 10-27-2009, 11:48 PM
  3. Weird behaviors and LOTS of spam.
    By zwvpadmin in forum Administrators
    Replies: 7
    Last Post: 01-02-2009, 09:26 AM
  4. Major SPAM to one account
    By CarputerTech in forum Administrators
    Replies: 4
    Last Post: 09-04-2008, 10:54 PM
  5. How to "untrain" spam detection
    By eintel in forum Administrators
    Replies: 3
    Last Post: 02-26-2007, 02:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •