DirectAdmin SpamAssassin training

I have recently signed up for a new account, which has a DirectAdmin panel. I am wondering about the ideal way to configure SpamAssassin.

DirectAdmin provides several options for where spam is sent:

1. Inbox (don’t block it)
2. Redirect it to the catch-all spam folder in your main IMAP account (default)
3. Send the spam to the user’s spam folder
4. Delete the spam

If I select option 2, where is spam sent? What is my “main IMAP account”?

I am also curious about training SpamAssassin. Is SpamAssassin configured to monitor specific folders in my accounts to train its bayes filter to learn spam and ham (i.e. via sa-learn)? Or can it be configured to do so?

I am guessing that the answer to those questions is “no”, but I figure it’s worth asking!

Heya,

We actually use rspamd on the DirectAdmin servers. It will translate your SA config to rspamd. Your main IMAP account is DAusername@firstdomain.com. While rspamd has an option to learn spam, we’ve noticed it will only serve as amplification to the normal rules. Because the normal rules are what dictates if an email is spam anyway. I don’t think there’s an option to manually feed it from the users spam folder.

I have a followup question: Does MXRoute’s system delete the most obvious spam before it reaches my account?

After monitoring my mailbox for a couple of days since switching to MXRoute, I have noticed that the total number of spam messages I receive each day has decreased from about 100 to 25.

I have another followup question

Emails from a dozen or so legitimate mailing lists I subscribe to are being consistently identified as spam by rspamd.

I have whitelisted the From addresses in DirectAdmin’s SpamAssassin settings in the format *@example.com, but the whitelist doesn’t seem to work?

A broader question is why these emails being misidentified as spam? They are legitimate mailing lists (nothing remotely spammy) being sent by Mail Chimp and other list management applications. I am glad to provide examples if you think it will assist in improving your spam filters.

In this case the SpamAssassin configuration is translated over for rspamd and has some limitations. I think this may help explain it a bit: https://directadmin.com/features.php?id=2338

As far as false positives, what kind of score ranges are we looking at? Feel free to DM me on here with any samples. You can take the full email headers/body and paste at paste.ee if you’d like, as that keeps the samples in a good format.

Thanks for explanation about wildcards. I will whitelist full email addresses instead.

I will DM you a couple of examples of false positives for you to look at if you have time.

I’m been whitelisting the full From address, rather than a wildcard e.g. hello@sidebar.io rather than *@sidebar.io, but rspamd is still flagging almost every mailing list I subscribe to (dozens) as spam. I’m not convinced that the whitelist is doing anything at all?

To be fair it’s very difficult to determine the difference between a desired newsletter and an undesirable one, when you break apart the common factors.

I’m not sure about the whitelist, but I’ll see what I can gather from some tests.

Thanks for the speedy reply Louis.

It sounds like “Send the spam to the user’s spam folder” is the best option for me, so that I can monitor spam within individual accounts.

Thanks for confirming that it is not possible/desirable to train the spam filter.

I have been testing MXRoute with an old address that receives a lot of spam. With a SpamAssassin threshold of 5.0 about 80% of spam messages are making it to the inbox. As a user is there anything I can do to improve the effectiveness of spam detection?

For example spam message with the subjects like “Health Insurance Offer”, “Life Insurance Offer” and “Money Map Press” had negative SpamTally scores and were delivered to the inbox. By contrast a message from a mailing list to which I subscribe (Comixology) had a SpamTally score of 0 and was flagged as spam.

As these DA servers are a bit new, the rspamd installations haven’t done much learning yet. Over time they will improve, and I’ll be making improvements to them over time as well. For the most part I’ve left defaults in place for the rspamd configuration globally so that I could observe results and user experiences, so hearing yours does help me to gauge the value and direction of adjusting the global configuration.

I suppose the short version of what I’m trying to say is hang in there, and keep the feedback coming as it’s quite helpful.

It does reject at a high threshold. Ideally that threshold should be reserved for incredibly obvious spam (that an algorithm can catch) or senders who have made such offensive mistakes that they probably don’t reach many of their recipients (rarely a legitimate sender does really bad things - like a “-all” on SPF and then sending from an IP not in their SPF).

Right now that rejection is at a 15 score in rspamd. It doesn’t catch much, as I’d like to let users control most of that (within reason of course, as no global rejection is a time bomb). Here’s a look at the last few days on Longhorn for example:

[root@longhorn rspamd]# zgrep "2019-09-14" rspamd.log* | grep "(reject)" | wc -l
51
[root@longhorn rspamd]# zgrep "2019-09-13" rspamd.log* | grep "(reject)" | wc -l
39
[root@longhorn rspamd]# zgrep "2019-09-12" rspamd.log* | grep "(reject)" | wc -l
63

Thanks Jarland. I suspected that the new DirectAdmin setup might still be learning. I look forward to seeing it improve over time

Good to know. I don’t imagine that all of the rejected messages you found in the logs were intended for me, but it might account for some of the reduction I’ve noticed. Either way, I approve!

What I’ve done today:

Added neural learning with redis cache.
https://rspamd.com/doc/modules/neural.html

Made further adjustments tonight. Dramatically reduced the positive scoring given to SPF, DKIM, and FCRDNS passes. Given that spammers tend to have no issue meeting these requirements, they should not be weighted as heavily toward the positive.