Uncatched spam and rules weith modification..

[Frederic Goudal <go...@enseirb.fr>]

Hello,

For the last weeks I have received a lot of spam concerning stock alerts and different investissments.
Their bayes score is 99, but they don't score enough to be classified as spam. I use rules_du_jour and the standard spamassassin set
with SURBL...
This spam does not trigger a lot of rules typicaly I have that kind of result :

X-spam-status: No, hits=5.312 tagged_above=-999 required=6.31 tests=BAYES_99,
 RCVD_HELO_IP_MISMATCH, RCVD_NUMERIC_HELO

X-spam-status: No, hits=4.171 tagged_above=-999 required=6.31 tests=BAYES_99,
 MIME_BASE64_TEXT, RCVD_IN_SORBS_DUL

X-spam-status: No, hits=3.873 tagged_above=-999 required=6.31 tests=BAYES_99,
 RCVD_IN_SORBS_DUL



I'm using a global bayes_db which seems to work quite well  : my users are not
complaining about too much spam or too much false positive (btw my own email
address recieve much more spam than other people as it has been public for 15
years now).

What I wonder is what to do ?

Increasing the bayes_99 score ?
Decreasing the 6.31 spam level ?
Try to create new rules ?

FiLH

Re[2]: Uncatched spam and rules weith modification..

[Robert Menschel <Ro...@Menschel.net>]

Hello Frederic,

Thursday, May 12, 2005, 8:40:17 AM, you wrote:

>>FG> X-spam-status: No, hits=5.312 tagged_above=-999 required=6.31
FG> tests=BAYES_99,
>>FG>  RCVD_HELO_IP_MISMATCH, RCVD_NUMERIC_HELO
>>that does score high enough to be classified as spam, but you or your
>>administrator have raised the required score from 5.0 to 6.31.

FG> It is what is put in Amavisd config.  I will maybe lower it a bit.

If you're not getting FPs, then cautious lowering is viable.

>>If your Bayes database is reliable and stable, bump the score for
>>BAYES_99.  

FG> In fact I forgot to uprgrade to SA 3.0.3 which bumbs bayes a lot.
FG> But from my own mail it seems that bayes_99 never hits a false positive.

Then definitely bump Bayes, at least until you upgrade to 3.0.3 or 3.1

>>Or look into adopting some of SARE's rules files, at
>>http://www.rulesemporium.com (or other custom files available via the
>>wiki).

FG> I have most of sare rules, but I have not seen a set for stock ads..

Should be in the BML set, through that hasn't been updated in a long
while and might not help against the current set.  Those that have
been using obfuscations should start getting hit by the new
obfuscation rule set files.

Bob Menschel

Re: Uncatched spam and rules weith modification..

[Robert Menschel <Ro...@Menschel.net>]

Hello Frederic,

Wednesday, May 11, 2005, 7:01:42 AM, you wrote:

FG> For the last weeks I have received a lot of spam concerning
FG> stock alerts and different investissments.
FG> Their bayes score is 99, but they don't score enough to be
FG> classified as spam. ...

Correction:
FG> X-spam-status: No, hits=5.312 tagged_above=-999 required=6.31 tests=BAYES_99,
FG>  RCVD_HELO_IP_MISMATCH, RCVD_NUMERIC_HELO
that does score high enough to be classified as spam, but you or your
administrator have raised the required score from 5.0 to 6.31.
Understandable, as I used to run three domains at a required score of
9.00.  However, when you on your own initiative raise the required
score, you need to modify your rule scores to take that into account.

Raise the scores of the rules which are most reliable and productive.

FG> X-spam-status: No, hits=5.312 tagged_above=-999 required=6.31 tests=BAYES_99,
FG>  RCVD_HELO_IP_MISMATCH, RCVD_NUMERIC_HELO
FG> X-spam-status: No, hits=5.312 tagged_above=-999 required=6.31 tests=BAYES_99,
FG>  RCVD_HELO_IP_MISMATCH, RCVD_NUMERIC_HELO
FG> X-spam-status: No, hits=4.171 tagged_above=-999 required=6.31 tests=BAYES_99,
FG>  MIME_BASE64_TEXT, RCVD_IN_SORBS_DUL
FG> X-spam-status: No, hits=3.873 tagged_above=-999 required=6.31 tests=BAYES_99,
FG>  RCVD_IN_SORBS_DUL

If your Bayes database is reliable and stable, bump the score for
BAYES_99.  Consider raising the scores for RCVD_HELO_IP_MISMATCH,
RCVD_NUMERIC_HELO, and RCVD_IN_SORBS_DUL

FG> What I wonder is what to do ?
FG> Increasing the bayes_99 score ?
Yes.
FG> Decreasing the 6.31 spam level ?
Possible. though 6.31 is reasonable if you do a little tweaking. I had
great success at 9.0.
FG> Try to create new rules ?
Or look into adopting some of SARE's rules files, at
http://www.rulesemporium.com (or other custom files available via the
wiki).

Bob Menschel