The first thing to do is check the headers of the emails marked as
spam and look at the SA tests that they are being scored on. If they are
being marked as spam because of a high spamassassin score, you need to
either change the scores for certain tests or correct the issue with the
email or the sender that is triggering the high score.
If you are seeing a lot of false positives that are scoring on
BAYES_95 or BAYES_99, then your bayes database may have been "poisoned"
and you might want to remove the bayes database and start fresh. See this FAQ for more information and instructions: https://support.configserver.com/en/knowledgebase/article/im-not-sure-my-bayes-database-is-working-correctly-how-can-i-fix-it
It will take a little time for the bayes database to actually start
scoring again because it needs 200 examples of definite spam and
non-spam before it can do so.
You might also want to remove the following line from /etc/mail/spamassassin/configserver.cf:
score BAYES_99 5.0
If you are getting false positives that don't
seem related to bayes,
or if legitimate emails are getting high scores even if you discount the
bayes score, then you need to investigate the specific SpamAssassin
tests that are causing the email to be marked as spam.
The SpamAssassin website has information about some of the tests. Check http://spamassassin.apache.org/tests_3_3_x.html
Also, you can look at the SpamAssassin .cf files on your server for
more information. The default .cf files are in the directory
/var/lib/spamassassin/3.003001/updates_spamassassin_org. There also may
be rules in /etc/mail/spamassasssin). (The 3.00x00x refers to the
version of SpamAssassin you are running so it may be an earlier or later
Grep for the test name to find the specific file to look in. For example:
grep HTML_IMAGE_ONLY_12 /var/lib/spamassassin/3.003001/updates_spamassassin_org/*
Then look in the file(s) referred to in the output, to find out what
in the email is causing it to be marked as spam. If possible you can
then change the way the email is constructed or sent to avoid tripping
that test, or you can lower the score for that test. Of course, by
reducing the score you also risk letting through more actual spam.
To change the score for a test, do NOT modify it in the original .cf file
where you found the test. (It will be overwritten with any spamassassin
rules updates.) Instead, add your modified scores to
/etc/mail/spamassassin/configserver.cf. You should use the following
score TEST_NAME 1.0
The word "score" is required on each one. The number after the test
name is the score you want to use *instead* of what it is currently