You should certainly look at training spam assassin to increase its effectiveness. I started doing this about a month ago and it is now catching 100% pretty much every day.
For info only, this is the script I use, having searched through the various pages available for inspiration:
#Put your domain here
echo -ne "Only users with scan-spam or scan-ham folders will be processed...\n\n"
for USER in $(ls $DNAME)
if [ -d "$DNAME$USER/.scan-spam/cur" ] ; then
echo "Account: $USER"
[ $(find "$DNAME$USER/.scan-spam/cur/" -prune -empty) ] && echo "..No emails in scan-spam folder" || (
echo -ne "..Learning SPAM\n.."
/usr/local/cpanel/3rdparty/bin/sa-learn --spam $DNAME$USER/.scan-spam/cur/;
rm $DNAME$USER/.scan-spam/cur/* && echo "..and deleted"
if [ -d "$DNAME$USER/.scan-ham/cur" ] ; then
[ $(find "$DNAME$USER/.scan-ham/cur/" -prune -empty) ] && echo "..No emails in scan-ham folder" || (
echo -ne "..Learning HAM\n.."
/usr/local/cpanel/3rdparty/bin/sa-learn --ham $DNAME$USER/.scan-ham/cur/
rm $DNAME$USER/.scan-ham/cur/* && echo "..and deleted"
I'm sure that it can be improved, but it's been doing the job for me and I post it here in case it's of use to anyone else. It is only for courier type email folders. Use at your own risk and only when you understand what it does. Note that it deletes all the emails in the parsed folders.
I put it in the cgi-bin directory, called it sa-learner.sh and it runs from cron every morning:
0 20 * * * /home/username/public_html/cgi-bin/sa-trainer.sh
It will operate on any email account that has a "scan-spam" or a "scan-ham" folder. Other accounts are ignored.
It sends a short result summary email.
Additionally, I have tweaked the spam score trigger value to 4, and, when I was confident in the results, changed the BAYES_99 and BAYES_999 filter scores to 4 (in .spamassassin/user_prefs:
score BAYES_99 4
score BAYES_999 4
Unfortunately the recent upgrade to CP11.5 seems to have disabled the subject line rewriting so it's more difficult to see what has been caught and what's been missed. (The subject used to be changed to "***SPAM*** original subject", now only the X-Spam-Subject: headers are changed) and I haven't been able to find a way to revert to the previous behaviour.
Hope it's helpful to someone. With thanks for all the original pages and contributors that helped me.