You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David Morton <mo...@dgrmm.net> on 2006/12/09 07:37:37 UTC
efax spam being marked as -212 ???
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've been getting an occasional efax spam that registers -212...
I'm using SA 3.1.7 and SARE rules from openprotect:
/var/lib/spamassassin/3.001007/saupdates_openprotect_com/
70_sare_whitelist.cf
/var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist.cf
/usr/local/share/spamassassin/60_whitelist.cf
3.500 BAYES_99 Bayesian spam probability is 99 to 100%
0.135 FORGED_RCVD_HELO Received: contains a forged HELO
0.001 HTML_MESSAGE HTML included in message
- -0.001 SPF_PASS SPF: sender matches SPF record
- -1.204 AWL From: address is in the auto white-list
- -15.000 USER_IN_DEF_WHITELIST From: address is in the default white-
list
- -100.000 USER_IN_WHITELIST From: address is in the user's white-list
- -100.000 USER_IN_SPF_WHITELIST From: address is in the user's SPF
whitelist
FROM: "eFax" <me...@inbound.efax.com>
TO: mortonda@dgrmm.net
SUBJECT: eFax from unknown - 1 page(s)
Doesn't this seem just a little bit extreme? Or flat out WRONG? :)
David Morton
Maia Mailguard http://www.maiamailguard.com
mortonda@dgrmm.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFFelmxUy30ODPkzl0RAmfrAJ9NqOr+L06Jyp/SE/oOdOrOiftlfgCfXIf9
B0A34cE/K9emDm4J1ZTIXAE=
=lL5N
-----END PGP SIGNATURE-----
Re: efax spam being marked as -212 ???
Posted by David Morton <mo...@dgrmm.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daryl C. W. O'Shea wrote:
> Additionally, this channel's bundle includes a pre file that loads a
> bunch of plugins, some of which that there's a good chance you don't
> really care to have running, like HashCash (and for many Pyzor)... all
> these are loaded:
Actually, the rest of the bundles are fine, and my detection rate is at least
98%. The main problem is the scores for those rules... it's just way out of
balance. -100 cannot be be balanced for anyone.
- --
David Morton
Maia Mailguard - http://www.maiamailguard.com
Morton Software Design and Consulting - http://www.dgrmm.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFesl/Uy30ODPkzl0RAkq4AJ9633p4gkjHI79B1m2g0vIbW3rswwCcCj5C
YLPxYG1cJIAmMzOn+WSnVs8=
=9NR4
-----END PGP SIGNATURE-----
Re: efax spam being marked as -212 ???
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
David Morton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I've been getting an occasional efax spam that registers -212... I'm
> using SA 3.1.7 and SARE rules from openprotect:
> - -15.000 USER_IN_DEF_WHITELIST From: address is in the default
> white-list
> - -100.000 USER_IN_WHITELIST From: address is in the user's
> white-list
> - -100.000 USER_IN_SPF_WHITELIST From: address is in the user's
> SPF whitelist
> FROM: "eFax" <me...@inbound.efax.com>
> Doesn't this seem just a little bit extreme? Or flat out WRONG? :)
This is why "bundles" don't work well for the SARE rulesets. One bundle
doesn't suite all users. It turns out that this particular channel's
bundle doesn't suite any users well:
49617 Oct 5 14:15 70_sare_whitelist.cf
36610 Oct 5 14:15 70_sare_whitelist_rcvd.cf
31789 Oct 5 14:15 70_sare_whitelist_spf.cf
...it has two copies of the SARE whitelist (the later two in the list
are to be used together). So you get -200 from that, which should only
be -100, in addition to the -15 from the whitelist that ships with SA.
Of course there's not really much difference in a score of -115 than
there is in -215, both are going to be marked as ham. The real loss is
the overhead incurred by loading whitelists that duplicate each other.
Additionally, this channel's bundle includes a pre file that loads a
bunch of plugins, some of which that there's a good chance you don't
really care to have running, like HashCash (and for many Pyzor)... all
these are loaded:
loadplugin Mail::SpamAssassin::Plugin::SPF
loadplugin Mail::SpamAssassin::Plugin::Hashcash
loadplugin Mail::SpamAssassin::Plugin::RelayCountry
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::AWL
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags
So... either suggest to the channel provider that they change what
they're doing, run a script after an update occurs to delete the extra
rule files, or switch to using the single rule file channels that are
available.
Daryl
Re: efax spam being marked as -212 ???
Posted by Loren Wilton <lw...@earthlink.net>.
> - -1.204 AWL From: address is in the auto white-list
> - -15.000 USER_IN_DEF_WHITELIST From: address is in the default white-
> list
> - -100.000 USER_IN_WHITELIST From: address is in the user's white-list
> - -100.000 USER_IN_SPF_WHITELIST From: address is in the user's SPF
> whitelist
Says here you have the sender in four different local whitelists.
Whitelists don't come with the normal SA install, and while there is a SARE
whitelist, it didn't hit. I don't know where these four whitelists came
from, but they are assuredly the reason that the message is making it to
you, despite Bayes thinking it is spam.
FWIW, it appears that this mail is legitimately from who it says it is, or
at least SPF seems to think so.
Loren
BTW, I'm not familiar with openproject, but SARE rules come from
RulesEmporium. www.rulesemporium.com.
----- Original Message -----
From: "David Morton" <mo...@dgrmm.net>
To: <us...@spamassassin.apache.org>
Sent: Friday, December 08, 2006 10:37 PM
Subject: efax spam being marked as -212 ???
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I've been getting an occasional efax spam that registers -212... I'm
> using SA 3.1.7 and SARE rules from openprotect:
>
> /var/lib/spamassassin/3.001007/saupdates_openprotect_com/
> 70_sare_whitelist.cf
> /var/lib/spamassassin/3.001007/updates_spamassassin_org/60_whitelist.cf
> /usr/local/share/spamassassin/60_whitelist.cf
>
> 3.500 BAYES_99 Bayesian spam probability is 99 to 100%
> 0.135 FORGED_RCVD_HELO Received: contains a forged HELO
> 0.001 HTML_MESSAGE HTML included in message
> - -0.001 SPF_PASS SPF: sender matches SPF record
> - -1.204 AWL From: address is in the auto white-list
> - -15.000 USER_IN_DEF_WHITELIST From: address is in the default white-
> list
> - -100.000 USER_IN_WHITELIST From: address is in the user's white-list
> - -100.000 USER_IN_SPF_WHITELIST From: address is in the user's SPF
> whitelist
> FROM: "eFax" <me...@inbound.efax.com>
> TO: mortonda@dgrmm.net
> SUBJECT: eFax from unknown - 1 page(s)
>
>
> Doesn't this seem just a little bit extreme? Or flat out WRONG? :)
>
>
> David Morton
> Maia Mailguard http://www.maiamailguard.com
> mortonda@dgrmm.net
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iD8DBQFFelmxUy30ODPkzl0RAmfrAJ9NqOr+L06Jyp/SE/oOdOrOiftlfgCfXIf9
> B0A34cE/K9emDm4J1ZTIXAE=
> =lL5N
> -----END PGP SIGNATURE-----