You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Joe Kletch <jo...@kletch.com> on 2005/04/26 16:54:03 UTC
Need help interpretting score
Reference header text below "3.7 AWL AWL: From: address is in the auto
white-list" why is something in the auto whitelist scoring positive?
Shouldn't this be adding negative points?
Thanks,
Joe Kletch
---
X-AOL-IP: 205.188.162.5
X-Spam-Prev-Subject: Breakfast menu card
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on
mail.burtonmayer.com
X-Spam-Level: ***
X-Spam-Status: Yes, score=3.7 required=3.5 tests=AWL,BAYES_50,
MSGID_FROM_MTA_HEADER,NO_REAL_NAME,SPF_HELO_PASS autolearn=no
version=3.0.2
X-Spam-Report:
* 0.0 NO_REAL_NAME From: does not include a real name
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5064]
* 0.1 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
* 3.7 AWL AWL: From: address is in the auto white-list
Re: Need help interpretting score
Posted by Matt Kettler <mk...@evi-inc.com>.
Joe Kletch wrote:
>
> Thinking I should check the auto white-list I looked for the tools on
> my FreeBSD 5.3 box running SA 3.02 and no tools exist. Nothing in the
> ports tree--so I loaded the RPM port and then set to load the RPM
> Package, however it complained about a bunch of missing dependencies
> and I got cold feet.
>
> Anyone know the status of porting spamassassin-tools-3.0.0-1.i386 to
> FreeBSD 5.3?
>
> I really do not want to get to far into the RPM install on this
> production machine.
>
>
Really the tools don't require much in the way of installation beyond
having the same version of SpamAssassin installed correctly.
You should be able to safely grab the scriptfiles out of the tools
subdirectory of a SA 3.0.2 tarball and they should work with your ported
version of SA.
There's no real magic to them, they're just very simple perl scripts
that invoke the SA perl APIs. As long as the SA APIs are installed so
your version of perl can find them, check_whitelist, etc should just run.
Re: Need help interpretting score
Posted by Joe Kletch <jo...@kletch.com>.
On Apr 26, 2005, at 10:46 AM, Matt Kettler wrote:
> Joe Kletch wrote:
>
>>
>> On Apr 26, 2005, at 10:13 AM, Matt Kettler wrote:
>>
>>>
>>
>> Off color Jokes are rampant in this organization from the CEO down.
>> I'm sure the auto-learn dbs are quite confused. I'll probably raise
>> the threshold and keep requesting header of FPs.
>
> Really, off-color jokes shouldn't be hitting more than 3.0, certainly
> not high enough to average 7.4. It's actually pretty hard to make a
> nonspam message score high unless you use GTUBE.
>
> Most of the porn rules are 1.5 and less. Even having a subject line
> declaring the email to be sexually explicit will get you at most 2.9
> points.
>
> I'd check for the sender in question doing something like forwarding
> all
> their email to another account using a client-side script that makes it
> look like they sent the message. This would re-send all their spam and
> rack them up quite an AWL score.
>
>
>
Thinking I should check the auto white-list I looked for the tools on
my FreeBSD 5.3 box running SA 3.02 and no tools exist. Nothing in the
ports tree--so I loaded the RPM port and then set to load the RPM
Package, however it complained about a bunch of missing dependencies
and I got cold feet.
Anyone know the status of porting spamassassin-tools-3.0.0-1.i386 to
FreeBSD 5.3?
I really do not want to get to far into the RPM install on this
production machine.
Thanks!
Joe Kletch
Re: Need help interpretting score
Posted by Matt Kettler <mk...@evi-inc.com>.
Joe Kletch wrote:
>
> On Apr 26, 2005, at 10:13 AM, Matt Kettler wrote:
>
>>
>
> Off color Jokes are rampant in this organization from the CEO down.
> I'm sure the auto-learn dbs are quite confused. I'll probably raise
> the threshold and keep requesting header of FPs.
Really, off-color jokes shouldn't be hitting more than 3.0, certainly
not high enough to average 7.4. It's actually pretty hard to make a
nonspam message score high unless you use GTUBE.
Most of the porn rules are 1.5 and less. Even having a subject line
declaring the email to be sexually explicit will get you at most 2.9 points.
I'd check for the sender in question doing something like forwarding all
their email to another account using a client-side script that makes it
look like they sent the message. This would re-send all their spam and
rack them up quite an AWL score.
Re: Need help interpretting score
Posted by Joe Kletch <jo...@kletch.com>.
On Apr 26, 2005, at 10:13 AM, Matt Kettler wrote:
> Joe Kletch wrote:
>
>> Reference header text below "3.7 AWL AWL: From: address is in the auto
>> white-list" why is something in the auto whitelist scoring positive?
>> Shouldn't this be adding negative points?
>>
> First, despite it's name the AWL's behavior is NOT limited to being a
> whitelist.
>
> It's a score averager, and has both white and black behaviors. It's
> called AWL because the more accurate "ASABPPWBWB" (Automatic Score
> Averager Based on Past Performance With Blacklist and Whitelist
> Behaviors) is rather awkward.
>
> In this case, the AWL saw that the average score of email from this
> sender in the past was approximately 7.4. It saw that this message was
> going to score 0, and it split the difference between the past scores,
> and the current scores.
>
> If the message is in fact not spam, then you should look at why email
> from this sender scored high enough in the past to earn an average of
> 7.4.
>
> If it is spam, well, the AWL just caught something for you based on
> past
> performance of the spammer.
>
> Also, unless you have a FP or FN, don't expect the direction of the
> AWL's score assignment to be indicative of whether the AWL thinks the
> message is spam or not. It's quite common for the AWL to add a small
> positive score to nonspam with a very large negative score. It's also
> common for it to subtract a few points from spam with very high
> positive
> scores.
>
>
> http://wiki.apache.org/spamassassin/AwlWrongWay
>
>
Off color Jokes are rampant in this organization from the CEO down. I'm
sure the auto-learn dbs are quite confused. I'll probably raise the
threshold and keep requesting header of FPs.
Joe Kletch
Re: Need help interpretting score
Posted by Matt Kettler <mk...@evi-inc.com>.
Joe Kletch wrote:
> Reference header text below "3.7 AWL AWL: From: address is in the auto
> white-list" why is something in the auto whitelist scoring positive?
> Shouldn't this be adding negative points?
>
First, despite it's name the AWL's behavior is NOT limited to being a
whitelist.
It's a score averager, and has both white and black behaviors. It's
called AWL because the more accurate "ASABPPWBWB" (Automatic Score
Averager Based on Past Performance With Blacklist and Whitelist
Behaviors) is rather awkward.
In this case, the AWL saw that the average score of email from this
sender in the past was approximately 7.4. It saw that this message was
going to score 0, and it split the difference between the past scores,
and the current scores.
If the message is in fact not spam, then you should look at why email
from this sender scored high enough in the past to earn an average of 7.4.
If it is spam, well, the AWL just caught something for you based on past
performance of the spammer.
Also, unless you have a FP or FN, don't expect the direction of the
AWL's score assignment to be indicative of whether the AWL thinks the
message is spam or not. It's quite common for the AWL to add a small
positive score to nonspam with a very large negative score. It's also
common for it to subtract a few points from spam with very high positive
scores.
http://wiki.apache.org/spamassassin/AwlWrongWay
Re: Need help interpretting score
Posted by Joe Kletch <jo...@kletch.com>.
On Apr 26, 2005, at 10:08 AM, Matt Yackley wrote:
> * 3.7 AWL AWL: From: address is in the auto white-list
>
> Hi Joe,
>
> Check out http://wiki.apache.org/spamassassin/AwlWrongWay
>
>
>
Thanks--that makes sense. Fighting false positives for a high-strung
sales organization is quite a challenge these days.
Joe Kletch
Re[2]: Need help interpretting score
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Joe,
Tuesday, April 26, 2005, 8:31:43 AM, you wrote:
JK> On another server or two I have disabled the auto white-list. Is
JK> this acceptable practice? Now that I am into this I recall seeing
JK> this issue before and thus decided to disable it. Comments on this
JK> practice?
My personal practice has become to disable the auto white list for the
first month or two of any new install. Once Bayes is well trained and
active, and I'm comfortable with the accuracy of the SA system in
general, then I turn the AWL on.
Seems to work well here.
The problems I've had were all shortly after wiping/refreshing the
Bayes database, when a small but significant number of emails would be
mis-classified by SA, and then AWL would start pushing scores in the
wrong direction because of that. Once I get the number of FPs/FNs
down, AWL works well.
Bob Menschel
Re: Need help interpretting score
Posted by Andy Jezierski <aj...@stepan.com>.
Joe Kletch <jo...@kletch.com> wrote on 04/26/2005 10:31:43 AM:
[snip]
>
> On another server or two I have disabled the auto white-list. Is this
> acceptable practice? Now that I am into this I recall seeing this issue
> before and thus decided to disable it. Comments on this practice?
>
> Joe Kletch
>
I've never used AWL on my system and it works just fine without it.
YMMV
Andy
Re: Need help interpretting score
Posted by Joe Kletch <jo...@kletch.com>.
On Apr 26, 2005, at 10:08 AM, Matt Yackley wrote:
> Joe Kletch said:
>> Reference header text below "3.7 AWL AWL: From: address is in the auto
>> white-list" why is something in the auto whitelist scoring positive?
>> Shouldn't this be adding negative points?
>>
>> Thanks,
>>
>> Joe Kletch
> * 3.7 AWL AWL: From: address is in the auto white-list
>
> Hi Joe,
>
> Check out http://wiki.apache.org/spamassassin/AwlWrongWay
>
>
On another server or two I have disabled the auto white-list. Is this
acceptable practice? Now that I am into this I recall seeing this issue
before and thus decided to disable it. Comments on this practice?
Joe Kletch
Re: Need help interpretting score
Posted by Matt Kettler <mk...@evi-inc.com>.
Matt Yackley wrote:
>J
>
>
>--matt "gonna see if I can post this faster than Matt K."
>
>
>
Damnit!! You beat me to a post in my favorite topic :)
Re: Need help interpretting score
Posted by Matt Yackley <sa...@yackley.org>.
Joe Kletch said:
> Reference header text below "3.7 AWL AWL: From: address is in the auto
> white-list" why is something in the auto whitelist scoring positive?
> Shouldn't this be adding negative points?
>
> Thanks,
>
> Joe Kletch
* 3.7 AWL AWL: From: address is in the auto white-list
Hi Joe,
Check out http://wiki.apache.org/spamassassin/AwlWrongWay
Cheers,
--matt "gonna see if I can post this faster than Matt K."