You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by RW <rw...@googlemail.com> on 2011/07/28 16:28:37 UTC
RP_MATCHES_RCVD
There seems to be a consensus that SPF and DKIM passes aren't worth
significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when
it just a circumstantial version of what SPF does explicitly.
For me it's hitting more spam that ham, and what's worse, it's mostly
hitting low-scoring freemail spam. Is it just me that's seeing this, or
is there maybe some kind of bias the test corpora?
Re: RP_MATCHES_RCVD
Posted by da...@chaosreigns.com.
On 07/28, John Hardin wrote:
> On Thu, 28 Jul 2011, Daniel McDonald wrote:
> >I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the
> >Invaluement rbls. Invaluement primarily targets snowshoe spammers.
> http://ruleqa.spamassassin.org/20110727-r1151385-n/RP_MATCHES_RCVD/detail
>
> Care to drop a few thousand of those into your corpus? :)
As John is kind of pointing out here, the spamassassin score generation
system is capable of handling this kind of problem automatically, if more
of you participate in masschecks:
http://wiki.apache.org/spamassassin/NightlyMassCheck
--
Immorality: "The morality of those who are having a better time"
- Henry Louis Mencken
http://www.ChaosReigns.com
Re: RP_MATCHES_RCVD
Posted by Daniel McDonald <da...@austinenergy.com>.
On 7/28/11 11:47 AM, "John Hardin" <jh...@impsec.org> wrote:
> On Thu, 28 Jul 2011, Daniel McDonald wrote:
>
>> I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the
>> Invaluement rbls. Invaluement primarily targets snowshoe spammers.
>>
>> $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -vc INVL
>> 41618
>> $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -c INVL
>> 55033
>>
>> So I have also changed the score to 0.01
>
> Dan, your last masscheck only had 6 spam hits for that rule...
>
> http://ruleqa.spamassassin.org/20110727-r1151385-n/RP_MATCHES_RCVD/detail
>
That's my home mail, not $DAYJOB...
> Care to drop a few thousand of those into your corpus? :)
I might be able to figure out a way to extract them from quarantine. But
they haven't been hand-checked.... I've got 33,084 of them that hit
RP_MATCHES_RCVD and an Invaluement list that are in this week's quarantine.
I'll see what I can do...
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: RP_MATCHES_RCVD
Posted by John Hardin <jh...@impsec.org>.
On Thu, 28 Jul 2011, Daniel McDonald wrote:
> I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the
> Invaluement rbls. Invaluement primarily targets snowshoe spammers.
>
> $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -vc INVL
> 41618
> $ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -c INVL
> 55033
>
> So I have also changed the score to 0.01
Dan, your last masscheck only had 6 spam hits for that rule...
http://ruleqa.spamassassin.org/20110727-r1151385-n/RP_MATCHES_RCVD/detail
Care to drop a few thousand of those into your corpus? :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
One difference between a liberal and a pickpocket is that if you
demand your money back from a pickpocket he will not question your
motives. -- William Rusher
-----------------------------------------------------------------------
8 days until the 276th anniversary of John Peter Zenger's acquittal
Re: RP_MATCHES_RCVD
Posted by Daniel McDonald <da...@austinenergy.com>.
On 7/28/11 9:48 AM, "Mike Grau" <m....@kcc.state.ks.us> wrote:
> On 07/28/2011 09:28 AM the voices made RW write:
>> There seems to be a consensus that SPF and DKIM passes aren't worth
>> significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when
>> it just a circumstantial version of what SPF does explicitly.
>>
>> For me it's hitting more spam that ham, and what's worse, it's mostly
>> hitting low-scoring freemail spam. Is it just me that's seeing this, or
>> is there maybe some kind of bias the test corpora?
>>
>>
>
> +1
>
> RP_MATCHES_RCVD hits tons of (snowshoe?) spam here. Different senders
> different IPs, but often the same /16 or /24 networks. I had some local
> meta rules that used T_RP_MATCHES_RCVD, but evidently the name was
> changed to RP_MATCHES_RCVD and the spam started flying in.
>
I see a lot of messages hitting RP_MATCHES_RCVD that also hits one of the
Invaluement rbls. Invaluement primarily targets snowshoe spammers.
$ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -vc INVL
41618
$ grep RP_MATCHES_RCVD /var/log/mail/info.log | grep -c INVL
55033
So I have also changed the score to 0.01
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281
Re: RP_MATCHES_RCVD
Posted by Mike Grau <m....@kcc.state.ks.us>.
On 07/28/2011 09:28 AM the voices made RW write:
> There seems to be a consensus that SPF and DKIM passes aren't worth
> significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when
> it just a circumstantial version of what SPF does explicitly.
>
> For me it's hitting more spam that ham, and what's worse, it's mostly
> hitting low-scoring freemail spam. Is it just me that's seeing this, or
> is there maybe some kind of bias the test corpora?
>
>
+1
RP_MATCHES_RCVD hits tons of (snowshoe?) spam here. Different senders
different IPs, but often the same /16 or /24 networks. I had some local
meta rules that used T_RP_MATCHES_RCVD, but evidently the name was
changed to RP_MATCHES_RCVD and the spam started flying in.
Re: RP_MATCHES_RCVD
Posted by Ned Slider <ne...@unixmail.co.uk>.
On 28/07/11 15:28, RW wrote:
> There seems to be a consensus that SPF and DKIM passes aren't worth
> significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2 when
> it just a circumstantial version of what SPF does explicitly.
>
> For me it's hitting more spam that ham, and what's worse, it's mostly
> hitting low-scoring freemail spam. Is it just me that's seeing this, or
> is there maybe some kind of bias the test corpora?
>
>
>
>
Yes, I've noticed this too recently and had knocked the score down to
0.001 for information only about a week ago. I've found it hitting on
spam and didn't find it useful on ham (i.e, I don't generally suffer
from ham being mis-classified as spam).
Re: RP_MATCHES_RCVD
Posted by Benny Pedersen <me...@junc.org>.
On Thu, 28 Jul 2011 15:28:37 +0100, RW wrote:
> There seems to be a consensus that SPF and DKIM passes aren't worth
> significant scores. So how is it that RP_MATCHES_RCVD, scores -1.2
> when
> it just a circumstantial version of what SPF does explicitly.
>
> For me it's hitting more spam that ham, and what's worse, it's mostly
> hitting low-scoring freemail spam. Is it just me that's seeing this,
> or
> is there maybe some kind of bias the test corpora?
add in local.cf:
score RP_MATCHES_RCVD (1.1)
if that solves the problem, make a bug