Review all SpamAssassin hits across a set of messages?

[rct]

1. Is there a way to review a history of all of the SpamAssassin hits across messages so I can see which SA rules are having the largest impact?

2. Is there a somewhat straightforward way to find the SpamAssassin scores and/or hits for messages that users have removed from Spam Quarantine by clicking deliver or welcome list?

Ideally I'd like to be able to see a histogram of the SA hits across a set of messages so I can find the largest contributors.

This is my first week running PMG. I'm getting more false positives than I would like, which seem to be primarily due to very high KAM_* scores. These are single rules that give a score of 7, 9, 12, so any single hit immediately quarantines messages.

For example, some mail received has been forwarded by a Gmail forwarding rule. KAM_DMARC_REJECT with a score of 7.0, because it thinks the DKIM signature is invalid. The original DKIM signature was valid but because the message was forwarded, the signature will no longer match.

Another big contributor is KAM_FROM_URIBL_PCCC and KAM_BODY_URIBL_PCCC each with a score of 9.0. The Raptor PCCC list used by the KAM rules seems to be full of URIs that cover legitimate newletters and marketing emails.

I don't want to have to keep digging through message by message if I can do something smarter.

Thanks!

 

[rct]

I asked:

Is there a somewhat straightforward way to find the SpamAssassin scores and/or hits for messages that users have removed from Spam Quarantine by clicking deliver or welcome list?

What I've been able to observe/figure out so far is that the tracking center in the UI doesn't have any record of messages being marked manually for delivery by a user.

There is a log message generated by pmgdaemon:

pmgdaemon[757]: delivered quarantined mail 'C0R154T126507671' (/var/spool/pmg/spam/69/221BF6569C68C592C369) to user@domain

But pmg-log-tracker and therefore the Web UI tracking center, doesn't pick that up.

So tha manual process is:

1. Take the ID from the /var/spool/pmg/spam/ file name 221BF6569C68C592C369 for this example

2. Find the line where the message was moved to spam quarantine. It is the only other log like that has that ID that can be used to tie these events together grep 221BF6569C68C592C369 /var/log/syslog

pmg-smtp-filter[143111]: 1157E0E69C68C5728188: moved mail for <user@domain> to spam quarantine - 221BF6569C68C592C369 (rule: Quarantine/Mark Spam (Level 5))

3. The ID from the pmg-smtp-filter line 1157E0E69C68C5728188 can now be used with pmg-log-tracker or grep to find the related line including the SA Score.

This seems like a lot of work, I hope there is an easier way.

To me this use case of trying to find the SpamAssassin rules that quarantined messages that users have determined aren't spam seems like a useful approach, but maybe I'm missing something?