Quote Originally Posted by alivebyscience View Post
See chart below... Can anyone explain the chart contents? But first, here's my results after making the changes found in this discussion.

Tag %: 30
Kill %: 70
No RBL, no protocol checks, no dns checks (these got disabled from the installed defaults somehow).

Tag %: 27 (can't change too much at once)
Kill %: 70
-->True. Better to make small changes and monitor.

Mine are at 60/20, which in Spamassassin scoring ( looking at header scores ) are anything 4 and over, goes to users junk folder and anything 12 and over, gets dropped.

I also put this in my 'root' crontab:
0 17 * * *  grep -B 1 'dropped' /var/log/messages | mail -s DroppedMail your.name@domain.com
0 12 * * *  grep -B 1 'dropped' /var/log/messages | mail -s DroppedMail your.name@domain.com
0 7  * * *  grep -B 1 'dropped' /var/log/messages | mail -s DroppedMail your.name@domain.com
Above sends me an e-mail at different times of the day to what's dropped by spamassassin.
Little easier than logging in every couple of hours and checking. ;-)

Quote Originally Posted by alivebyscience View Post

All protocol checks enabled
DNS check only enabled for reject_unknown_sender_domain
RBLs enabled:
reject_rbl_client dnsbl.njabl.org
reject_rbl_client cbl.abuseat.org
reject_rbl_client bl.spamcop.net
reject_rbl_client dnsbl.sorbs.net
reject_rbl_client zen.spamhaus.org
reject_rbl_client relays.mail-abuse.org
-->Am important note here, Turning on RBL's in the above command
'reject_rbl_client' drops/blocks via postfix, not by spamassassin scoring.
By default there is no logging in postfix to '/var/log/messages' unless you enable it so if you enable 'reject_rbl_client' , be nice to see what you are dropping.
This is not a Spamassassin thing. This is a drop/allow Postfix thing.
IOW, no matter what level you set the 'Tag %:' and 'Kill %:' at, they will not affect this, since the ' reject_rbl_client' command outright rejects the sender via Postfix.

To enable Postfix messages to /var/log/messages

vi /etc/syslog.conf
<insert after the lines:  
# Everybody gets emergency messages

mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                     /var/log/mail.err

I did this for the first week or two and then removed all of the 'reject_rbl_client' commands and let Spamassassin do it's job.
Once Spamassassin and DSPAM get trained, shouldn't need them anyway.
Spamassassin already uses the RBL DNS lists to score spam.

Quote Originally Posted by alivebyscience View Post

DSPAM score increment is 1.5 (it was that already)
Added SARE rules for stocks, adult and BML
Modified the GIF attach and stox values (4.75 and 4.66)
I have also added all of the non-US IP ranges to my Spamassassin config.
If anyone wants that list, it's here:
Improving Anti-spam system - ZimbraWiki

Whatever you do, ALWAYS make a copy of the original in your home directory and keep the old version so you can see where you went wrong if something does.
IE: cp salocal.cf.in /home/yourname/salocal.cf.in.2007070801
Year, month, day, change number ( 01, next change would be 02 )
So, if I made 38 changes to the file called salocal.cf.in on July 8th 2007, I would have 38 files: salocal.cf.in.2007070801, salocal.cf.in.2007070802, salocal.cf.in.2007070803, etc.

For each file I modify, I do this.
Then you can always go back and :
 diff salocal.cf.in.2007070802 salocal.cf.in.2007070803
and you'll know what the changes were.

Quote Originally Posted by alivebyscience View Post

Results are here:

The Admin manual describes this chart:
green: # messages checked
blue: # messages tagged
red: # virus identified

Beginning at 1600 yesterday the spam count dropped when I enabled everything I could. You can see me enable and disable combinations until I settled on the above values around 2300. Then starting this morning around 5am you see the ratio of messages to spam widen greatly!!! Especially in contrast to previous hours. You see most hours showing a much higher message to spam ratio, and they track each other. Until I changed the settings.

Chart observations...
What's the flow of a message as it enters the server... postfix to spamassassin to clamav to zimbra mta? There's probably a flow chart in the admin manual.

Since the changes I made at 1600 presumably caused spamassassin to reject more emails, and the count of checked messages in the chart drops at 1600 - That tells me this chart only counts messages that made it through spamassassin. Virus emails and all. So it's not really as the admin guide indicates - it's not messages checked. It's really messages spamassassin didn't kill. The green is the total count of all non-killed emails. The blue is the count of tagged emails (of the total these were tagged). The chart is showing the relationship/ratio between all messages and tagged messages and virus infected messages. It's a theory.

Extending that theory - then the count of tagged messages is lower because the quality (or is it quantity) of kills is better after making changes. Spamassassin is killing emails because it fails a protocol check, or it fails an RBL test, or it fails a SARE rule. So of the emails not killed the ratio of good vs tagged is larger. This is a good sign. But... Good news, bad news. We're now killing a lot of emails that previously scored below the kill factor. Good news. But (damn the bad news), this means users don't have a chance of finding false positives from these additional tests in their Junk folder. Is that really a bad thing? Hmmm. Time will tell if we get a lot of complaints about missing emails that are not in the webmail junk folder.
Yep, reason I don't do RBL's via Postfix. ;-)

Quote Originally Posted by alivebyscience View Post

You can't really see virus counts on this chart - there is some from time to time. Lucky us, huh? (knock on wood).

Thought you might enjoy the view. I think this chart proves the real world value of these changes. My thanks to ScottNelson, and mmorse, and others who have contributed. This stuff is getting us some relief, and results!!! Right on!
Glad we could help. :-)

Anyway, just some other stuff off of the top of my head.......