Bayesian Filtering - Anyone Had Issues
Question asked by Shaun Sizen - 2/23/2016 at 9:18 AM
Just applied the latest rules from Bruces fine document (Thanks for that Bruce). When I use the Bayesian filter I get a lot of possible low spam, some are ones like e-Bay messages or purely legit emails. At present we are not deleting these to make sure we are ok.
Anyone had similar false positives with this filter? From what I have read its worth having

3 Replies

Reply to Thread
Shaun Sizen Replied
And another, I have my low set to 10 but an email came in with a score of 4 and got flagged as possible spam?
[2016.02.23] 17:05:23 [16063] Spam check results: [BARRACUDA - BRBL: passed], [CBL ABUSE SEAT: passed], [HOST KARMA BLACKLIST: passed], [RFC2 REALTIME LIST: passed], [SORBS 02 - HTTP: passed], [SORBS 03 - SOCKS: passed], [SORBS 05 - SMTP: passed], [SORBS 08 - BLOCK: passed], [SORBS 09 - ZOMBIE: passed], [SORBS 11 - BAD CONFIG: passed], [SORBS 12 - NOMAIL: passed], [SORBS 13 - NOSERVER: passed], [SPAMCOP: passed], [SPAMHAUS - PBL 1: passed], [SPAMHAUS - PBL 2: passed], [SPAMHAUS - SBL 1: passed], [SPAMHAUS - SBL 2: passed], [SPAMHAUS - XBL 1: passed], [SPAMHAUS - XBL 2: passed], [SPAMHAUS - XBL 3: passed], [SPAMHAUS - XBL 4: passed], [SPAMHAUS - ZEN: passed], [SPAMRATS: passed], [SURRIEL: passed], [VIRUSRBL - MSRBL: passed], [_REVERSEDNSLOOKUP: passed], [_SPF: Pass], [_DK: None], [_DKIM: Pass], [NO ABUSE: passed], [NO POSTMASTER: passed], [SEM-URIBL: passed], [SEM-URIRED: passed], [SORBS 04 - MISC: passed], [SORBS 06 - RECENT: passed], [SORBS 07 - WEB: passed], [SORBS 10 - DYNAMIC IP: passed], [SPAMCOP WEB: passed], [SURBL - ABUSE BUSTER: passed], [SURBL - JWSPAMSPY: passed], [SURBL - MALWARE: passed], [SURBL - PHISHING: passed], [UCE PROTECT LEVEL 1: passed], [UCE PROTECT LEVEL 2: failed], [UCE PROTECT LEVEL 3: failed], [URIBL - BLACK: passed], [URIBL - GREY: passed], [URIBL - MULTI: passed], [URIBL - RED: passed]
Failed on UCE 2 and 3 which a lot seem to??
Scarab Replied
To your first question, Bayesian Filtering is based on what your SmarterMail users are manually flagging as Spam in the web-mail interface. It looks for keywords common to those messages previously flagged and applies it towards new messages. Most of the time Bayesian Filtering is pretty good, but if you have a user who routinely flags literally *EVERYTHING* as Spam it can "poison the well" so to speak and cause a number of false-positives (which depending upon how you score Bayesian Filtering it generally isn't a problem for Incoming but it can especially be for Outgoing).
In your second example, that message also was flagged as [DK: none], which I'm suspecting you have DomainKeys: None set to score a 6 or higher. (Which as DomainKeys has been deprecated with the widespread adoption of DKIM instead, most mail won't have DomainKeys any longer, so you wouldn't want to score DomainKeys: None at all, although you can still score DomainKeys: Fail.)

As for UCE2 and UCE3 a lot of IP Blocks get on these lists (as these are "never forgive, never forget" lists that do not allow delisting) and MOST DEFINITELY WILL have a high percentage of false-positives. If you score them low, such as 4 and 2 respectively, emails from an IP that is listed won't be flagged with a low probability unless they are listed on another RBL. (Make sure not to ever mark these two RBLs as "Enabled for Blocking"!) 
Shaun Sizen Replied
Hi Scarab
Ah thanks, almost all our users are on Outlook so I guess Bayesian will not be effective in that case, I will disable.
On the DK:None I have the none weight at zero, the only score is for fail and thats 5, I have Pass 0 / Fail 5 / None 0
Top tip re UCE, I only score 2 for fail for each so would need some other score to add up.
Thanks for your help, really appreciated

Reply to Thread