My users or I am seeing a lot of spam false positives, legitimate email marked as spam. What is the problem and what should I do?

The first thing to do is check the headers of the emails marked as spam and look at the SA tests that they are being scored on. If they are being marked as spam because of a high spamassassin score, you need to either change the scores for certain tests or correct the issue with the email or the sender that is triggering the high score.

If you are seeing a lot of false positives that are scoring on BAYES_95 or BAYES_99, then your bayes database may have been "poisoned" and you might want to remove the bayes database and start fresh. See this FAQ for more information and instructions: https://support.configserver.com/en/knowledgebase/article/im-not-sure-my-bayes-database-is-working-correctly-how-can-i-fix-it

It will take a little time for the bayes database to actually start scoring again because it needs 200 examples of definite spam and non-spam before it can do so.

You might also want to remove the following line from /etc/mail/spamassassin/configserver.cf:

score BAYES_99 5.0

If you are getting false positives that don't seem related to bayes, or if legitimate emails are getting high scores even if you discount the bayes score, then you need to investigate the specific SpamAssassin tests that are causing the email to be marked as spam.

The SpamAssassin website has information about some of the tests. Check http://spamassassin.apache.org/tests_3_3_x.html.

Also, you can look at the SpamAssassin .cf files on your server for more information. The default .cf files are in the directory /var/lib/spamassassin/3.003001/updates_spamassassin_org. There also may be rules in /etc/mail/spamassasssin). (The 3.00x00x refers to the version of SpamAssassin you are running so it may be an earlier or later version.)

Grep for the test name to find the specific file to look in. For example:

grep HTML_IMAGE_ONLY_12 /var/lib/spamassassin/3.003001/updates_spamassassin_org/*

Then look in the file(s) referred to in the output, to find out what in the email is causing it to be marked as spam. If possible you can then change the way the email is constructed or sent to avoid tripping that test, or you can lower the score for that test. Of course, by reducing the score you also risk letting through more actual spam.

To change the score for a test, do NOT modify it in the original .cf file where you found the test. (It will be overwritten with any spamassassin rules updates.) Instead, add your modified scores to /etc/mail/spamassassin/configserver.cf. You should use the following format:

score TEST_NAME 1.0

The word "score" is required on each one. The number after the test name is the score you want to use *instead* of what it is currently using.