Re: Is there a way to block "invalid" non delivery notifications?

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

> Matus UHLAR - fantomas wrote:
> > the first can be catched by using ok_locales

On 30.06.10 04:14, Daniel Lemke wrote:
> We are already using ok_locales, but it does not score all of the mail and
> if it scores, the few points at all are not enough to identify it as spam
> (since bayes still scores negative). I already trained bayes with hundreds
> of mails, but it still doesn't recognize this ndr as spam.

apparently not enough of NDRs. I trained bayes with many notices and it was
able to detect as expected then.

BAYES_99 and CHARSET_FARAWAY together should score enough to score as spam.
*BOUNCE_MESSAGE score only 0.1 and rising them is not safe.

> > For others, there's VBounce plugin that detects delivery notices (and
> > similar messages like autoresponders) and tag them for other processing.
> > 
> > You need to configure whitelist_bounce_relays for this plugin to work.

> That sounds quite nice, but the documentation says the plugin looks for the
> specified mta relay in the Received: header of the mail. If found, it is not
> marked as an invalid bounce.

No, it searches for it in the body of the mail, and the body of delivery
notice should contain IP of your MTA, if the original message went through
your MTA (although there are programs that don't include them). Otherwise
it's apparendly bounce on forged mail which the VBounce is designed to
catch.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"To Boot or not to Boot, that's the question." [WD1270 Caviar]

Re: Is there a way to block "invalid" non delivery notifications?

[Daniel Lemke <le...@jam-software.com>]

jdow wrote:
> 
>> By the way, is it possible to rescore or disable one rule, if another
>> already hit (thought on something like disabling bayes when
>> BOUNCE_MESSAGE
>> already hit)? This way I could disable Bayes when BOUNCE_MESSAGE already
>> hit. Yeah I know that's kind of bogus config but it'd be very suitable
>> for
>> our purpose.
> 
> META rules are good for this sort of application.
> 
> {^_^} 
> 
> 

I know about two meta rules that would cause a proper rescore but both of
them are kind of dirty workarounds:
- Check if BOUNCE_MESSAGE and Bayes hit. If so, give it a appropriate
negative score (this wouldn't be really dynamic).
- Packing the whole Bayes scoring into a meta so it only is triggered when
BOUNCE_MESSAGE isn't hit.

I'd prefer something like the "ifplugin" key word in configuration, in
pseudo code:
ifrulehit BOUNCE_MESSAGE
skip BAYES_XX

Daniel
-- 
View this message in context: http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29073633.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Is there a way to block "invalid" non delivery notifications?

[jdow <jd...@earthlink.net>]

From: "Daniel Lemke" <le...@jam-software.com>
Sent: Friday, 2010/July/02 06:36
>
> Matus UHLAR - fantomas wrote:
>>
>> apparently not enough of NDRs. I trained bayes with many notices and it
>> was
>> able to detect as expected then.
>>
> It apparently does learn the ndrs given, but as we send a newsletter from
> time to time (that produces ndrs as well), Bayes seems to learn ndrs as 
> ham
> continuously.
>
>
> Matus UHLAR - fantomas wrote:
>>
>> BAYES_99 and CHARSET_FARAWAY together should score enough to score as
>> spam.
>> *BOUNCE_MESSAGE score only 0.1 and rising them is not safe.
>>
> Is it such a bad idea to rise the score? Or is the general purpose to
> combine it with some sort of meta?
>
> By the way, is it possible to rescore or disable one rule, if another
> already hit (thought on something like disabling bayes when BOUNCE_MESSAGE
> already hit)? This way I could disable Bayes when BOUNCE_MESSAGE already
> hit. Yeah I know that's kind of bogus config but it'd be very suitable for
> our purpose.

META rules are good for this sort of application.

{^_^} 

Re: Is there a way to block "invalid" non delivery notifications?

[Daniel Lemke <le...@jam-software.com>]

Matus UHLAR - fantomas wrote:
> 
> apparently not enough of NDRs. I trained bayes with many notices and it
> was
> able to detect as expected then.
> 
It apparently does learn the ndrs given, but as we send a newsletter from
time to time (that produces ndrs as well), Bayes seems to learn ndrs as ham
continuously.


Matus UHLAR - fantomas wrote:
> 
> BAYES_99 and CHARSET_FARAWAY together should score enough to score as
> spam.
> *BOUNCE_MESSAGE score only 0.1 and rising them is not safe.
> 
Is it such a bad idea to rise the score? Or is the general purpose to
combine it with some sort of meta?

By the way, is it possible to rescore or disable one rule, if another
already hit (thought on something like disabling bayes when BOUNCE_MESSAGE
already hit)? This way I could disable Bayes when BOUNCE_MESSAGE already
hit. Yeah I know that's kind of bogus config but it'd be very suitable for
our purpose. 


Daniel
-- 
View this message in context: http://old.nabble.com/Is-there-a-way-to-block-%22invalid%22-non-delivery-notifications--tp29032307p29056475.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.