Tips & Tricks

Marius Gologan

Training Bayes

I'm writing this because understanding Bayesian (Bayes) filter is critical in environments with high traffic email.
Administering hight traffic might be difficult, but having high traffic with reach content is important for learning.

First aspect:
Bayes learning filter needs, at least, 200 SPAM messages and 200 HAM messages in order to become active.
Both types of messages (ham and spam) must met some technical requirements in order to be learned (SPAM: 3 header tokens + 3 body tokens; HAM: only 3 body tokens).
Both SPAM and HAM messages are various in content (even languages differ). Thus, the overall email traffic may vary from one day/week to the next one, from one company to another.

By design, Bayes filter learns (by itself) gradually from your email traffic.
Let the learning system (bayes, spamassassin) work as was designed. It will learn gradually by itself from your email traffic.

Second aspect:
Along with Bayes, Network Rules play an important role when Bayes is not active (and a less important one after Bayes has become effective).
Network rules (such as IP/URL checks against RBLs) use a delay in order to avoid flooding against providers.

Few flooding spam messages may pass because RBLs (network rules) checks are skipped due their safety mechanism. A well trained/adjusted bayes will compensate these cases, in Scrollout.

In the end:
Spam messages that have not been seen before, sent from legit sources, containing legit elements (IPs,URLs), are most difficult to catch.
Is not possible to stop All-Spam messages in 2 hours work, feeding 200+200 different messages.
Feeder's scope is to adjust learning system and cover these occasionally cases.

Assign an outbound IP address per domain

Assigning an outbound IP address to a Sender Domain may:
Prevent default IP from losing reputation when a Sender Domain is not trusted.
Increase delivery/quality by associating an IP with good reputation to a Sender Domain.
Increase limits/time by associating an IP with good throughout to a Sender Domain.
Build reputation for a new IP using a Sender Domain with normal transactions.
Isolate a Sender Domain from being associated with others.

Disclaimer per domain

A disclaimer for each domain can be added in /var/www/disclaimer/domain.com.txt

Useful bounce

You can add an URL page and a phone number for support. (web GUI > ROUTE)
These will appear in the returned bounce error.

Instead of phone number you can add an unfiltered email address such as postmaster@your-domain.com. You can add postmaster@your-domain.com as an alias to your it.department@your-domain.com mailbox, on your email server. But postmaster may become target for spam.

Example:
telnet 192.168.1.234 25
220 ScrolloutF1.scrolloutf1.com ESMTP - Scrollout - Scrollout F1 2012-10-03
test
502-5.5.2 Error: command not recognized
502 5.5.2 For assistance, see www.scrolloutf1.com/contact or contact +40720xxxyyy. Please provide the following information in your problem report: Time: (Jan 30 10:43:07), Client: (192.168.1.9), Server: (ScrolloutF1.scrolloutf1.com).

Tag only. Don't block spam

You can choose to TAG the spam messages only as following:
1. Go to ROUTE
2. Click on Quarantine
3. Input a score value of 5 in the first field and 999 in the second.
Done.

Quarantine per user (sort of)

After completing the step above (Tag only), users may create a rule for messages containing "Spam:" in the Subject and move those messages in Spam/Junk folder.