Guardian Digital Inc. > InfoCenter > Mailing List Archives > Amavis

Amavis Mailing List Archive

From: Clifton Royston (cliftonr@tikitechnologies.com)
Date: Wed Dec 29 2004 - 20:34:39 EST

On Wed, Dec 29, 2004 at 05:54:01PM -0500, Cory Coager wrote:
> I am pretty new to amavisd-new (2.2.1) and have had a big headache trying to
> get it installed and everything working. The problems I am having are with
> the spam filters using both SpamAssassin (3.0.2) and dspam (3.2.3). I have
> found the following issues:
> 1) I have the web cgi frontend installed for dspam so I can see each message
> being passed through the filter. I have found that on some messages dspam
> will get trained twice on the same message, contradicting itself! The first
> pass would say its Innocent, then a few seconds later it says its actually
> Spam. It took me awhile to figure it out but if you look in the executable
> for amavisd around line 11086, sub spam_scan, you will see the following:
> > if ( $spam_level > 5.0 && $dspam_result eq 'Innocent') {
> > $eat = 'SPAM'; push(@options, qw(--class=spam --source=error));
> > # @options = qw(--stdout --addspam); # dspam < 3.0
> > }
> > elsif ($spam_level < 1.0 && $dspam_result eq 'Spam') {
> > $eat = 'HAM'; push(@options, qw(--class=innocent --source=error));
> > # @options = qw(--stdout --falsepositive); # dspam < 3.0
> > }
> So basically every message with more than 5 points from SA is always spam,
> and less than 1 point is always Innocent and dspam is wrong otherwise. Why
> is this so?
So dspam can get some basic/initial training based on the SA results.
The problem is the thresholds chosen for it aren't very well-selected
IMHO; 1 is too high and 5 is too low. I'd go for something more like
0 and 9.

I have a patch to make it easily configurable from amavisd.conf, but I
didn't contribute it in time for amavisd 2.2.1 because I wanted to work
on it a bit more. (It's a pretty trivial patch as it stands.)

> 2) In sub check_mail around line 6398 you will see:
> > } elsif ($spam_presence_checked) {
> > do_log(5, "spam_presence cached, skipping spam_scan");
> > } else {
> This is causing some duplicate messages not to be spam scanned at all or
> causing spam headers to be missing. IMO I'd like every message to be
> scanned, wouldn't this be better as an option in the config?
It would be nice as an option. According to Mark you can however set
the cache time variable to 0 to disable the caching. (I don't recall
which variable this is.)

> 3) After processing quite a few emails I have found that dspam doesn't
> actually do anything with SA present. If they have different opinions on
> whether an email is spam/ham, SA always wins the arguement. Is this true?
Amavisd *only* does its action based on the SA score.

You need to add an SA rule to score the dspam results; or you need to
do your own testing and handling of the dspam results "downstream".

> 4) I have setup amavisd to use quarantine and changed $QUARANTINEDIR to use
> dspam's mailbox so I can use their web frontend to process quarantine. The
> problem is when a message gets quarantined, none of the dspam headers are
> present! This causes 2 big problems, 1) all the rating percentages are 0%
> because DSpam-Confidence is missing and 2) delivering a quarantine message
> (because it is not spam) throws it back in the quarantine because retraining
> dspam on that message fails since the headers are missing (--source=error
> relies on DSPAM headers or it fails).

  Yes, amavisd quarantines pristine messages, which is not what you
want in connection with dspam. You probably do not want to use
quarantine without either hacking amavisd to throw in the dspam headers
on quarantining, or setting up an alternate quarantine which doesn't
rely on amavisd.

  If delivering a message out of quarantine sends it through either
amavisd or dspam again, you have a different configuration problem, but
that's another issue.
  This is a non-issue for me because in my trial integration of dspam
and amavisd (into a proprietary antispam system) I have a different
quarantine system "downstream".

> I'm not sure if this is the correct place to bring these issues up but
> perhaps someone can give me some feedback on this. Thanks!

  Hope this helps some.

  -- Clifton

          Clifton Royston  --  cliftonr@tikitechnologies.com 
         Tiki Technologies Lead Programmer/Software Architect
Did you ever fly a kite in bed?  Did you ever walk with ten cats on your head?
  Did you ever milk this kind of cow?  Well we can do it.  We know how.
If you never did, you should.  These things are fun, and fun is good.
                                                                 -- Dr. Seuss
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
AMaViS-user mailing list

[ About Guardian Digital ] - [ Press Center ] - [ Contact Us ] - [ System Activation ] - [ Reseller Info ] - [ Online Store ] - [ Site Map ]
Copyright (c) 2000 - 2004 Guardian Digital, Inc. Linux Lockbox and EnGarde are Trademarks of Guardian Digital, Inc.