You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Darren Coleman <Da...@jpci.net> on 2005/01/12 12:20:17 UTC
Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules
Hi,
I'm running the latest version of SpamAssassin (3.0.2), with a healthy
Bayes database (I believe) and pretty much all of the available rules
from rulesemporium.com and I have noticed recently, particularly from
comments from my users, that SA is missing a lot of clear spasm.
I have attached one for reference which scored only 4.0 on my system
despite having clear, unobfuscated references to two notable erectile
dysfunction drugs.
Can anyone tell me where I'm going wrong with this?
Thanks,
Darren
Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules
Posted by Martin Hepworth <ma...@solid-state-logic.com>.
Loren Wilton wrote:
> Well, just for grins I ran it here:
>
> Content analysis details: (11.3 points, 4.6 required)
>
> pts rule name description
> ---- ---------------------- ------------------------------------------------
> --
> 2.6 LOCAL_OBFU_TADALAFIL_SUBJ Obfuscated 'TADALAFIL' in subject
> 0.3 SARE_WEOFFER BODY: Offers Something
> 1.8 LOCAL_OBFU_VIAGRA BODY: Obfuscated 'VIAGRA' in body
> 1.8 LOCAL_OBFU_TADALAFIL BODY: Obfuscated 'TADALAFIL' in body
> 1.8 LOCAL_OBFU_CIALIS BODY: Obfuscated 'CIALIS' in body
> 0.0 BAYES_50 BODY: Bayesian spam probability is 50 to 56%
> [score: 0.5418]
> 1.0 DRUGS_ERECTILE Refers to an erectile drug
> 2.0 NOT_TO_ME Mail is not addressed to me
>
> You wouldn't have the last one, so should have only gotten 9.3. This is on
> 2.64.
>
> I'm not sure where the 'local' rules came from, but I expect that they are
> some of the 'other rules' on the rulesemporium site.
>
> Loren
>
Loren
having gone throught he pain* of upgrading from a very nice working 2.64
to 3.02 I suggest Jeff's idea of getting the URI checking uinstalled is
the best way to proceed,
(*pain: lots of reading of this list, 2 days of testing, getting
ALL_TRUSTED turned off, bemoaning lower bayes scores etc etc. But in the
end I'm happy after 1st 26 hours of live running).
--
Martin Hepworth
Senior Systems Administrator
Solid State Logic Ltd
tel: +44 (0)1865 842300
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules
Posted by Jon Drukman <js...@cluttered.com>.
Christopher John Shaker wrote:
> In my useage, SpamAssassin 3.0.2 works *way* better than the 2.XX
> versions of
> SpamAssassin. I've been training my Baysian filters, and they work
> really well now.
>
> SA 3.0.2 works so well that I've deleted most of my apx 400 local rules,
> which plugged
> leaks through SA 2.XX.
agreed. since i upgraded to 3.0.2 i have thrown out all the custom
rules that i gathered from various spots around the net. just using the
stock SA3 config works extremely well. as i mentioned before, just
using Bayes + URIBL catches at least 99%.
-jsd-
Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules
Posted by Christopher John Shaker <cj...@shaker-net.com>.
In my useage, SpamAssassin 3.0.2 works *way* better than the 2.XX versions
of
SpamAssassin. I've been training my Baysian filters, and they work really
well now.
SA 3.0.2 works so well that I've deleted most of my apx 400 local rules,
which plugged
leaks through SA 2.XX.
Chris Shaker
cjshaker@shaker-net.com
----- Original Message -----
From: "Jack L. Stone" <ja...@sage-american.com>
To: "Loren Wilton" <lw...@earthlink.net>; <us...@spamassassin.apache.org>
Sent: Wednesday, January 12, 2005 6:54 AM
Subject: Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp
rules
> At 04:36 AM 1.12.2005 -0800, Loren Wilton wrote:
>>Well, just for grins I ran it here:
>>
>>Content analysis details: (11.3 points, 4.6 required)
>>
>> pts rule name description
>>---- ---------------------- ------------------------------------------------
>>--
>> 2.6 LOCAL_OBFU_TADALAFIL_SUBJ Obfuscated 'TADALAFIL' in subject
>> 0.3 SARE_WEOFFER BODY: Offers Something
>> 1.8 LOCAL_OBFU_VIAGRA BODY: Obfuscated 'VIAGRA' in body
>> 1.8 LOCAL_OBFU_TADALAFIL BODY: Obfuscated 'TADALAFIL' in body
>> 1.8 LOCAL_OBFU_CIALIS BODY: Obfuscated 'CIALIS' in body
>> 0.0 BAYES_50 BODY: Bayesian spam probability is 50 to 56%
>> [score: 0.5418]
>> 1.0 DRUGS_ERECTILE Refers to an erectile drug
>> 2.0 NOT_TO_ME Mail is not addressed to me
>>
>>You wouldn't have the last one, so should have only gotten 9.3. This is
>>on
>>2.64.
>>
>
> ....and, for laughs, here on sa-3.0.2 and got a very high score:
>
> ------------------------------------------------------------------------------
> Content analysis details: (31.0 points, 4.5 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 0.1 MISSING_HEADERS Missing To: header
> 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
> [score: 0.5000]
> 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
> [cf: 100]
> 1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
> 2.5 URIBL_CNKR Contains a URL listed in China/Korea
> [URIs: aujobs.net]
> 0.5 URIBL_SBL_XBL Contains a URL listed in the SBL-XBL DNSBL
> [URIs: aujobs.net]
> 5.0 URIBL_SBL Contains an URL listed in the SBL blocklist
> [URIs: aujobs.net]
> 5.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
> blocklist
> [URIs: aujobs.net]
> 5.0 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
> blocklist
> [URIs: aujobs.net]
> 0.5 URIBL_MP_RHSBL Contains a URL listed in the MP RHSBL
> [URIs: aujobs.net]
> 5.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL
> blocklist
> [URIs: aujobs.net]
> 0.5 URIBL_SS_RHSBL Contains a URL listed in the SS RHSBL
> [URIs: aujobs.net]
> 1.2 MISSING_SUBJECT Missing Subject: header
> 0.2 DRUGS_ERECTILE Refers to an erectile drug
> 1.0 MURTY_BADWORDS2 Words ending with numbers
> 1.2 MURTY_BADWORDS3 Words with numbers in the middle
> 0.5 MURTY_BADWORDS4 Words with special symbols
> 1.2 MURTY_BADCHARS Single Characters
>
>
> Happy trails,
> Jack L. Stone
>
> System Admin
> Sage-american
>
Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp
rules
Posted by "Jack L. Stone" <ja...@sage-american.com>.
At 04:36 AM 1.12.2005 -0800, Loren Wilton wrote:
>Well, just for grins I ran it here:
>
>Content analysis details: (11.3 points, 4.6 required)
>
> pts rule name description
>---- ---------------------- ------------------------------------------------
>--
> 2.6 LOCAL_OBFU_TADALAFIL_SUBJ Obfuscated 'TADALAFIL' in subject
> 0.3 SARE_WEOFFER BODY: Offers Something
> 1.8 LOCAL_OBFU_VIAGRA BODY: Obfuscated 'VIAGRA' in body
> 1.8 LOCAL_OBFU_TADALAFIL BODY: Obfuscated 'TADALAFIL' in body
> 1.8 LOCAL_OBFU_CIALIS BODY: Obfuscated 'CIALIS' in body
> 0.0 BAYES_50 BODY: Bayesian spam probability is 50 to 56%
> [score: 0.5418]
> 1.0 DRUGS_ERECTILE Refers to an erectile drug
> 2.0 NOT_TO_ME Mail is not addressed to me
>
>You wouldn't have the last one, so should have only gotten 9.3. This is on
>2.64.
>
....and, for laughs, here on sa-3.0.2 and got a very high score:
------------------------------------------------------------------------------
Content analysis details: (31.0 points, 4.5 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.1 MISSING_HEADERS Missing To: header
0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
[score: 0.5000]
0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
2.5 URIBL_CNKR Contains a URL listed in China/Korea
[URIs: aujobs.net]
0.5 URIBL_SBL_XBL Contains a URL listed in the SBL-XBL DNSBL
[URIs: aujobs.net]
5.0 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: aujobs.net]
5.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: aujobs.net]
5.0 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: aujobs.net]
0.5 URIBL_MP_RHSBL Contains a URL listed in the MP RHSBL
[URIs: aujobs.net]
5.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: aujobs.net]
0.5 URIBL_SS_RHSBL Contains a URL listed in the SS RHSBL
[URIs: aujobs.net]
1.2 MISSING_SUBJECT Missing Subject: header
0.2 DRUGS_ERECTILE Refers to an erectile drug
1.0 MURTY_BADWORDS2 Words ending with numbers
1.2 MURTY_BADWORDS3 Words with numbers in the middle
0.5 MURTY_BADWORDS4 Words with special symbols
1.2 MURTY_BADCHARS Single Characters
Happy trails,
Jack L. Stone
System Admin
Sage-american
Re: Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules
Posted by Loren Wilton <lw...@earthlink.net>.
Well, just for grins I ran it here:
Content analysis details: (11.3 points, 4.6 required)
pts rule name description
---- ---------------------- ------------------------------------------------
--
2.6 LOCAL_OBFU_TADALAFIL_SUBJ Obfuscated 'TADALAFIL' in subject
0.3 SARE_WEOFFER BODY: Offers Something
1.8 LOCAL_OBFU_VIAGRA BODY: Obfuscated 'VIAGRA' in body
1.8 LOCAL_OBFU_TADALAFIL BODY: Obfuscated 'TADALAFIL' in body
1.8 LOCAL_OBFU_CIALIS BODY: Obfuscated 'CIALIS' in body
0.0 BAYES_50 BODY: Bayesian spam probability is 50 to 56%
[score: 0.5418]
1.0 DRUGS_ERECTILE Refers to an erectile drug
2.0 NOT_TO_ME Mail is not addressed to me
You wouldn't have the last one, so should have only gotten 9.3. This is on
2.64.
I'm not sure where the 'local' rules came from, but I expect that they are
some of the 'other rules' on the rulesemporium site.
Loren
Re: [SPAM-TAG] Lots of spam being missed with SA 3.0.2 + lots of RulesEmp rules
Posted by Jeff Chan <je...@surbl.org>.
On Wednesday, January 12, 2005, 3:20:17 AM, Darren Coleman wrote:
> Hi,
> I'm running the latest version of SpamAssassin (3.0.2), with a healthy
> Bayes database (I believe) and pretty much all of the available rules
> from rulesemporium.com and I have noticed recently, particularly from
> comments from my users, that SA is missing a lot of clear spasm.
> I have attached one for reference which scored only 4.0 on my system
> despite having clear, unobfuscated references to two notable erectile
> dysfunction drugs.
> Can anyone tell me where I'm going wrong with this?
> Thanks,
> Darren
Try installing a current Net::DNS and enabling network tests.
SURBL and other URIBL rules triggered on the URIs in
your spam:
URIBL_AB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL
Those should be plenty to get them marked as spam.
Jeff C.
--
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/