Have you checked the headers of any messages to see what they're scored? IF so, you can then adjust the spam weights in your ruleset to take care of them messages: append to the subject line, move to a junk folder or outright delete. Have you tried a trial of Message Sniffer and/or Cyren? 

Spam checking is something that is dynamic. You have to regularly adjust spam checks and dnsbl checks.

some possibilities

Lookup the senders IP in the header, then check that IP on blacklist sites like http://www.mxtoolboxcom or http://multirbl.valli.org/

You might add those lists to your dnsbl checks.

You can also skip all dnsblacklist checks but just use one, https://www.invaluement.com/

@Derek, never advise to delete messages. If messages get deleted that shouldn't be deleted it's because of your advise. Allways advise to quarantaine. If someone chooses to delete messages with a high spam value it's on his own.

Thanks for the reply, Richard. You're spot on about spam checking being dynamic. And just to clarify, I wasn't advising that they delete them, just pointing out that it's an option as some customers prefer that when spam weights are very high compared to others.

Hi Capbrown! Can you post the headers from a few of the spam messages you are seeing? I am positive that I can help. Thanks.

@Richard Frank: Agreed. For example, I see "ham" being afforded very high spam scores in many cases from some political action groups (on all sides of the spectrum), and I'm not talking about "hate" email. Some folk actually want to receive those messages. 

So yes; generally a good idea to quarantine emails unless they are clearly going to cause malicious damage.

Thanks, everyone.  @Linda - here are some of the headers:

1.

Return-Path: <Qatar@info.qatar.com>
Received: from o-bb.net (www4.o-bb.net [219.109.143.249]) by mikewbrown.com with SMTP;
   Thu, 1 Nov 2018 21:21:34 -0500
Received: (qmail 25461 invoked from network); 2 Nov 2018 04:33:22 +0900
Received: from unknown (HELO ?103.207.38.154?) (monma@aworks.co.jp@103.207.38.154)
  by www2.o-bb.net with SMTP; 2 Nov 2018 04:33:22 +0900
Content-Type: multipart/alternative; boundary="===============1415410609=="
MIME-Version: 1.0
Subject: *SPAM* =?utf-8?b?KOKCrDk1MCwwMDAuMDAgRXVyb3M=?=
To: Recipients <Qatar@info.qatar.com>
From: "Qatar Foundation" <Qatar@info.qatar.com>
Date: Fri, 02 Nov 2018 00:25:05 -1100
Reply-To: qatarcharity21@gmail.com
X-Rcpt-To: <a.brown@tttransports.com>
Message-ID: <7e61e9a64c8d4b779e5716207d8afa2d@com>
X-SmarterMail-Spam: SPF_None, Bayesian Filtering, ISpamAssassin 0 [raw: 0], DK_None, DKIM_None
X-SmarterMail-SpamDetail: 0.6 MISSING_MID Missing Message-Id: header
X-SmarterMail-TotalSpamWeight: 10
2.

Return-Path: <noreply@magicneuron.com>
Received: from magicneuron.com (magicneuron.com [188.225.27.175]) by mikewbrown.com with SMTP;
   Thu, 1 Nov 2018 16:32:44 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=key1; d=magicneuron.com;
 h=Date:From:Message-ID:To:Subject:MIME-Version:Content-Type:
 Content-Transfer-Encoding; i=noreply@magicneuron.com;
 bh=ctejU0BEWNnXrGkxNp2RMUMgW2tIu3S02SU05BoLaWw=;
 b=aCSS95Cz10yCkf/OZnZ7iEcPhyZ1JFkaSPZ9bs2ofjoVP6ryDggnOpAYPJJPdRuJ45e4oGOJvWrz
   x8BHdEQajg+DwdS8BTpGLM0+uXvjQo7hpKqgAXmkN7PFVJTLAPKUY48yirLa1uKYseQjp511UYBR
   yxmR38f0nP8y/HzRqTo=
Date: Fri, 2 Nov 2018 4:32:44 +0700
From: "=?utf-8?Q?Lineberry_Fahy?=" <noreply@magicneuron.com>
Organization: qhphc
X-Priority: 3 (Normal)
Message-ID: <7398783092.20181102043244@magicneuron.com>
To: a.brown@tttransports.com
Subject: =?utf-8?Q?Tic=D0=BAet=2394296905_=3Cchristine=40lionet-technologies.com=3E_01-11-2018_11=3A32=3A33_I_highly_recommend_you_to_study_that_letter=2C_just_to_be_sure_nothing_may_happen_?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-SmarterMail-Spam: SPF_Pass, ISpamAssassin 0 [raw: 0], DK_None, DKIM_Pass
X-SmarterMail-TotalSpamWeight: 0
3.
Return-Path: <riel@synd-fire.info>
Received: from synd-fire.info (nwy170.numerousways.com [188.214.192.170]) by mikewbrown.com with SMTP;
   Sat, 27 Oct 2018 08:00:57 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mail; d=synd-fire.info;
 h=From:Date:MIME-Version:Subject:To:Message-ID:Content-Type; i=riel@synd-fire.info;
 bh=RHpaa1qE8brHqTyxzQfnUD/OGqE=;
 b=jyqRBHLYU+JxLKuk8lSpjG2YGYFQccwzcszwhtx1dVIKm+CzRhtV0Fb4WLVtftvQWC4nUY81mqyp
   RvLVlmevv9+Hn6q6tu3G7aE1BMsRm625hUozQ/zP0yQPbQ+g7qTbAc/7yCaRPS9hcrrZIkAlyHpW
   yGAChoE0ysbLCEB1E/s=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mail; d=synd-fire.info;
 b=K4/6RACv2eUxOPAcdPfy/dmXahkOKPPUVi8PQ6yUQWCINnfqutq0YxopBlc7tkT38x29JuyIx85e
   eOSPl/qP30vCiJBQ14fAjmJAOs4iA/IHjhT2fLYouqEWOXLLKSLfmhqCQaZ0+83JLPp6v03iCAMs
   hiWj6qfVpyGSfQgLBRI=;
From: " Alan Moore" <riel@synd-fire.info>
Date: Sat, 27 Oct 2018 00:07:14 -0500
MIME-Version: 1.0
Subject: Im now down 30 this month and still going
To: <a.brown@tttransports.com>
Message-ID: <uPNJRAJ4w10srDMUEAsgA3DeV3IcVD5wP89fpz3wkt4.1wKCZHI1ZQ87baA7GhV6tW4vVtFJtiVXZmn8pQFDCcs@synd-fire.info>
Content-Type: multipart/alternative;
 boundary="------------102692239128694586469662"
X-SmarterMail-Spam: SPF_Pass, ISpamAssassin 0 [raw: 0], DK_Pass, DKIM_Pass
X-SmarterMail-TotalSpamWeight: 0

@Linda, let me know if you need more.  I have hundreds.
Thanks, George Anne Brown

Invaluement is a dns blacklist service https://www.invaluement.com/

When you don't know how to add dnsbl to spam checks you should learn more about adding RBL in the knowledge base.

Thanks for the headers Cap. It looks like you may want to add Declude (it is free of charge and you can get it from our website here: http://mailsbestfriend.com/downloads/) and you may want to also think about an add-on product like Message Sniffer which will make a huge difference in the amount of spam you receive. If you have any questions about either of these programs, please let me know and I will be happy to assist further.

    I found an article from here: https://support.klhost.com/knowledgebase.php?action=displayarticle&id=26

providing a link to download SpamAssassin Virtual Appliance created by SmaterTools. Though it's a pretty old 

version: 

        CentOS 4.6 (Linux kernel 2.6.9-67.0.1.EL) 

        Webmin 1.390  

        SpamAssassin 3.2.4 

        ClamAV 0.92 

        Razor 2.84 

        DCC 1.3.80

    

    And I also quickly installed a standalone Ubuntu and enabled SpamAssassin yesterday. It's quite easy, you 

need to allow remote access to spamd service.  You will need to edit /etc/default/spamassassin  file, and 

change the following options to something like :

OPTIONS="-d -i 0.0.0.0 -A 192.168. --create-prefs --max-children 5 --max-conn-per-child=128 --username spamd --helper-home-dir -s /var/log/spamassassin/spamd.log"

    Then go to admin page to enable remote SpamAssassin. Hope this does help.

rds

Juan Lai

Also at my side. Spam detection is inaccurate.