AWL question

[Scott Johnson <sc...@nami.org>]

After upgrading to SA 3.0, I noticed a lot of spam with subject lines 
including SEXUALLY- EXPLICIT started to get through, even though there 
were existing rules that were meant specifically to catch them. I first 
boosted the score of the rules that catch these messages from 10 to 100 
(2 rules, see below), and saw that the ones that formerly "got through" 
were getting AWL scores in the negative 100-120 range. This morning a 
few *still* go through, so I boosted the score of those rules from 100 
to *1000*. The next two messages snagged got AWL scores in the negative 
*thousand* range.

I read the FAQ on how AWL is supposed to work, but that doesn't seem to 
explain how messages can end up with such seemingly gigantic AWL scores. 
Does an AWL negative score somehow go "deeper" in response to very high 
positive SA scores? Nothing like this happened with 2.6. I'm not 
disappointed with 3.0 (it works extremely well otherwise), I'm just 
deeply puzzled. Did I mis a FAQ note somewhere? Screw up the upgrade 
somehow? Am I just completely misreading what's going on? Thanks in 
advance for any help you can provide!

(Hopefully) Helpful appendix:

Rules:

header   SUBJ_CANSPAM_SE  Subject =~ 
/sexual.{0,4}expl[i1\|][ct][i1\|e][ct]/i
describe SUBJ_CANSPAM_SE  more porn
score SUBJ_CANSPAM_SE   1000

header   SUBJ_CANSPAM_SE2  Subject =~ 
/SEXUAL.{0,4}.EXPL[I1\|][CT][I1\|E][CT]/i
describe SUBJ_CANSPAM_SE2  more porn
score SUBJ_CANSPAM_SE2   1000


Gigantic AWL negative scored e-mail:

Return-Path: <b....@mx19224.rr03.com>
Received: from naminet3.nami.org ([38.250.129.202]) by
          mail.nami.org (Netscape Messaging Server 4.15) with ESMTP id
          I4WQ3I00.BE9 for <to...@nami.org>; Fri, 1 Oct 2004 09:14:06 -0400 
Received: from mx19224.rr03.com (mx19224.rr03.com [69.6.19.224])
	by naminet3.nami.org (8.11.6/8.11.6) with ESMTP id i91DEbm20529
	for <to...@nami.org>; Fri, 1 Oct 2004 09:14:37 -0400
Received: (from daemon@localhost)
	by mx19224.rr03.com (8.8.8/8.8.8) id XAA02867;
	Thu, 30 Sep 2004 23:26:42 -0700 (PDT)
Date: Fri, 1 Oct 2004 01:20:10 -0700 (PDT)
Message-Id: <20...@mx19224.rr03.com>
From: Cindy <ad...@mx19224.rr03.com>
To: tonya@nami.org
Subject: {Spam?} SEXUALLY- EXPLICIT: Heyyyy
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-nami.org-MailScanner-Information: Please contact the ISP for more information
X-MailScanner: Found to be clean
X-MailScanner-SpamCheck: spam, SpamAssassin (score=1102.425, required 3,
	autolearn=spam, AWL -1070.58, BAYES_99 1.89, COMBINED_FROM 0.32,
	DCC_CHECK 2.17, DNS_FROM_AHBL_RHSBL 0.29, EVILNUMBER_A_1XX_1 2.00,
	RCVD_IN_BL_SPAMCOP_NET 1.22, RCVD_IN_NJABL_SPAM 1.84,
	RCVD_IN_SBL 0.11, REMOVE_PAGE 0.19, SUBJECT_SEXUAL 2.90,
	SUBJ_CANSPAM_SE 1000.00, SUBJ_CANSPAM_SE2 1000.00, TW_VZ 0.08,
	URIBL_OB_SURBL 100.00, URIBL_SBL 30.00, URIBL_WS_SURBL 30.00)
X-MailScanner-SpamScore: ssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss
X-MailScanner-From: b.adultspecials.0-4172c30-4adc.nami.org.-tonya@mx19224.rr03.com

Heyllooo it's me Cindy... husband left last night

I have an profile online, which you can browse...if you like my sexy
profile, we can meet up for a cup of coffee or maybe more

http://mx19224.rr03.com/m/l?1ye-b3l3-1-5r09-7vzpi
 
Hugs and kisses

Cindy



To unsubscribe, go to:
http://mx19224.rr03.com/remove?r.adultspecials.0-4172c30-4adc.nami.org.-tonya?r

or, send a blank message to:
mailto:r.adultspecials.0-4172c30-4adc.nami.org.-tonya@mx19224.rr03.com

Ejackolate.com
1333 W 120th Ave Suite 101
Westminster CO 80234

Re: AWL question

[Duncan Findlay <du...@debian.org>]

On Fri, Oct 01, 2004 at 12:29:40PM -0400, Jim Maul wrote:
> Scott Johnson wrote:
> >After upgrading to SA 3.0, I noticed a lot of spam with subject lines 
> >including SEXUALLY- EXPLICIT started to get through, even though there 
> >were existing rules that were meant specifically to catch them. I first 
> >boosted the score of the rules that catch these messages from 10 to 100 
> >(2 rules, see below), and saw that the ones that formerly "got through" 
> >were getting AWL scores in the negative 100-120 range. This morning a 
> >few *still* go through, so I boosted the score of those rules from 100 
> >to *1000*. The next two messages snagged got AWL scores in the negative 
> >*thousand* range.

That makes sense. If you have a couple messages go thorough with score
4, and you raise the score to 100, the AWL thinks that address has an
average score of 4, thus will subtract somewhere between 0 and 96
points (I don't remember how the math works to determine the actual
number but it's probably in the middle of that range). Over time, if
messages continue to get high scores, the amount subtracted will get
smaller and smaller.

If you increase the scores, the AWL simply gets convinced that the
message is getting an abnormally high score and does its best to lower
it toward the average.

> >I read the FAQ on how AWL is supposed to work, but that doesn't seem to 
> >explain how messages can end up with such seemingly gigantic AWL scores. 
> >Does an AWL negative score somehow go "deeper" in response to very high 
> >positive SA scores? Nothing like this happened with 2.6. I'm not 
> >disappointed with 3.0 (it works extremely well otherwise), I'm just 
> >deeply puzzled. Did I mis a FAQ note somewhere? Screw up the upgrade 
> >somehow? Am I just completely misreading what's going on? Thanks in 
> >advance for any help you can provide!

I don't think there were any major changes in 2.6 vs 3.0 with
whitelist. Perhaps you never ran into this with 2.6.
 
> This is (from what i understand) how AWL is supposed to work.  You could 
> lower the score to -999999999 and AWL would bring it right back up to 
> +999999999.  Its supposed to sort of average things out.  The real 
> question here is why is it trying to AWL it at all.  That, 
> unfortunately, i dont have an answer for.  I dont use AWL specifically 
> because of things like this.  I have never been able to get it to work 
> correctly.  Or maybe it was working correctly and i just never 
> understood it.  Either way, im happy without it.

If you lower the score to -100, it'll add roughly 50 points assuming
the long term average is roughly 0.

(My recollection of this is a little hazy and I can remember the
mathematical formula, but there doesn't seem to be a problem here.)

-- 
Duncan Findlay

Re: AWL question

[Jim Maul <jm...@elih.org>]

Scott Johnson wrote:
> After upgrading to SA 3.0, I noticed a lot of spam with subject lines 
> including SEXUALLY- EXPLICIT started to get through, even though there 
> were existing rules that were meant specifically to catch them. I first 
> boosted the score of the rules that catch these messages from 10 to 100 
> (2 rules, see below), and saw that the ones that formerly "got through" 
> were getting AWL scores in the negative 100-120 range. This morning a 
> few *still* go through, so I boosted the score of those rules from 100 
> to *1000*. The next two messages snagged got AWL scores in the negative 
> *thousand* range.
> 
> I read the FAQ on how AWL is supposed to work, but that doesn't seem to 
> explain how messages can end up with such seemingly gigantic AWL scores. 
> Does an AWL negative score somehow go "deeper" in response to very high 
> positive SA scores? Nothing like this happened with 2.6. I'm not 
> disappointed with 3.0 (it works extremely well otherwise), I'm just 
> deeply puzzled. Did I mis a FAQ note somewhere? Screw up the upgrade 
> somehow? Am I just completely misreading what's going on? Thanks in 
> advance for any help you can provide!
> 
>

This is (from what i understand) how AWL is supposed to work.  You could 
lower the score to -999999999 and AWL would bring it right back up to 
+999999999.  Its supposed to sort of average things out.  The real 
question here is why is it trying to AWL it at all.  That, 
unfortunately, i dont have an answer for.  I dont use AWL specifically 
because of things like this.  I have never been able to get it to work 
correctly.  Or maybe it was working correctly and i just never 
understood it.  Either way, im happy without it.

-Jim