You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Reindl Harald <h....@thelounge.net> on 2014/09/10 13:22:35 UTC
RCVD_IN_MSPIKE_* strange scoring
something is here terrible wrong
why does "average" is preferred over "excellent"
why do H3 and H4 get a very less WL score?
recently a clear spam message slipped by the -1.7 through
describe RCVD_IN_MSPIKE_H2 Average reputation (+2)
describe RCVD_IN_MSPIKE_H3 Good reputation (+3)
describe RCVD_IN_MSPIKE_H4 Very Good reputation (+4)
describe RCVD_IN_MSPIKE_H5 Excellent reputation (+5)
score RCVD_IN_MSPIKE_H2 0.001 -1.772 0.001 -1.772
score RCVD_IN_MSPIKE_H3 0.001 -0.010 0.001 -0.010
score RCVD_IN_MSPIKE_H4 0.001 -0.010 0.001 -0.010
score RCVD_IN_MSPIKE_H5 0.001 -1.000 0.001 -1.000
__________________________________________________
i changed that in "local.cf" to the following
score RCVD_IN_MSPIKE_H2 0.001 -0.5 0.001 -0.5
score RCVD_IN_MSPIKE_H3 0.001 -0.8 0.001 -0.8
score RCVD_IN_MSPIKE_H4 0.001 -1.1 0.001 -1.1
score RCVD_IN_MSPIKE_H5 0.001 -1.5 0.001 -1.5
Re: RCVD_IN_MSPIKE_* strange scoring
Posted by John Hardin <jh...@impsec.org>.
On Wed, 10 Sep 2014, Reindl Harald wrote:
> Am 10.09.2014 um 16:50 schrieb Jose Borges Ferreira:
>> On Wed, Sep 10, 2014 at 12:22 PM, Reindl Harald <h....@thelounge.net> wrote:
>>> something is here terrible wrong
>>>
>>> why does "average" is preferred over "excellent"
>>> why do H3 and H4 get a very less WL score?
>>> recently a clear spam message slipped by the -1.7 through
>>>
>>> describe RCVD_IN_MSPIKE_H2 Average reputation (+2)
>>> describe RCVD_IN_MSPIKE_H3 Good reputation (+3)
>>> describe RCVD_IN_MSPIKE_H4 Very Good reputation (+4)
>>> describe RCVD_IN_MSPIKE_H5 Excellent reputation (+5)
>>>
>>> score RCVD_IN_MSPIKE_H2 0.001 -1.772 0.001 -1.772
>>> score RCVD_IN_MSPIKE_H3 0.001 -0.010 0.001 -0.010
>>> score RCVD_IN_MSPIKE_H4 0.001 -0.010 0.001 -0.010
>>> score RCVD_IN_MSPIKE_H5 0.001 -1.000 0.001 -1.000
>>> __________________________________________________
>>
>> Thats probably the QA system that scores that based on the available
>> corpus data ..
>
> so received nightly with sa-update?
Yep.
It's possible that these scores should be static.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
How can you reason with someone who thinks we're on a glidepath to
a police state and yet their solution is to grant the government a
monopoly on force? They are insane.
-----------------------------------------------------------------------
Tomorrow: the 13rd anniversary of 9/11
Re: RCVD_IN_MSPIKE_* strange scoring
Posted by Jose Borges Ferreira <un...@gmail.com>.
On Wed, Sep 10, 2014 at 4:14 PM, Reindl Harald <h....@thelounge.net> wrote:
> so received nightly with sa-update?
The scores are adjusted according to the corpus results there is
always some bias ...
>> That's the expected scoring distribution. We have in our system a more
>> generous scoring ranging from -0.5 to -3.5
>
> -3.5 is very much - i saw many crap from even H5 listed servers
> they may lose that reputation as follow up but too late
>
Every system/region have exposure to different profiles of email and
heuristics will have a different impact.
That's why I said "we have" , didn't said "you should have" :p
Snowshoers, if not detected properly , will have good reputation and
that's a problem.
Right now we have a different list/rbl for detecting and using
internally. Not sure is will be added in Z list or with a different
code.
José Borges Ferreira
Re: RCVD_IN_MSPIKE_* strange scoring
Posted by Reindl Harald <h....@thelounge.net>.
Am 10.09.2014 um 16:50 schrieb Jose Borges Ferreira:
> On Wed, Sep 10, 2014 at 12:22 PM, Reindl Harald <h....@thelounge.net> wrote:
>> something is here terrible wrong
>>
>> why does "average" is preferred over "excellent"
>> why do H3 and H4 get a very less WL score?
>> recently a clear spam message slipped by the -1.7 through
>>
>> describe RCVD_IN_MSPIKE_H2 Average reputation (+2)
>> describe RCVD_IN_MSPIKE_H3 Good reputation (+3)
>> describe RCVD_IN_MSPIKE_H4 Very Good reputation (+4)
>> describe RCVD_IN_MSPIKE_H5 Excellent reputation (+5)
>>
>> score RCVD_IN_MSPIKE_H2 0.001 -1.772 0.001 -1.772
>> score RCVD_IN_MSPIKE_H3 0.001 -0.010 0.001 -0.010
>> score RCVD_IN_MSPIKE_H4 0.001 -0.010 0.001 -0.010
>> score RCVD_IN_MSPIKE_H5 0.001 -1.000 0.001 -1.000
>> __________________________________________________
>
> Thats probably the QA system that scores that based on the available
> corpus data ..
so received nightly with sa-update?
>> i changed that in "local.cf" to the following
>>
>> score RCVD_IN_MSPIKE_H2 0.001 -0.5 0.001 -0.5
>> score RCVD_IN_MSPIKE_H3 0.001 -0.8 0.001 -0.8
>> score RCVD_IN_MSPIKE_H4 0.001 -1.1 0.001 -1.1
>> score RCVD_IN_MSPIKE_H5 0.001 -1.5 0.001 -1.5
>
> That's the expected scoring distribution. We have in our system a more
> generous scoring ranging from -0.5 to -3.5
-3.5 is very much - i saw many crap from even H5 listed servers
they may lose that reputation as follow up but too late
Re: RCVD_IN_MSPIKE_* strange scoring
Posted by Jose Borges Ferreira <un...@gmail.com>.
On Wed, Sep 10, 2014 at 12:22 PM, Reindl Harald <h....@thelounge.net> wrote:
> something is here terrible wrong
>
> why does "average" is preferred over "excellent"
> why do H3 and H4 get a very less WL score?
> recently a clear spam message slipped by the -1.7 through
>
> describe RCVD_IN_MSPIKE_H2 Average reputation (+2)
> describe RCVD_IN_MSPIKE_H3 Good reputation (+3)
> describe RCVD_IN_MSPIKE_H4 Very Good reputation (+4)
> describe RCVD_IN_MSPIKE_H5 Excellent reputation (+5)
>
> score RCVD_IN_MSPIKE_H2 0.001 -1.772 0.001 -1.772
> score RCVD_IN_MSPIKE_H3 0.001 -0.010 0.001 -0.010
> score RCVD_IN_MSPIKE_H4 0.001 -0.010 0.001 -0.010
> score RCVD_IN_MSPIKE_H5 0.001 -1.000 0.001 -1.000
> __________________________________________________
Thats probably the QA system that scores that based on the available
corpus data ..
> i changed that in "local.cf" to the following
>
> score RCVD_IN_MSPIKE_H2 0.001 -0.5 0.001 -0.5
> score RCVD_IN_MSPIKE_H3 0.001 -0.8 0.001 -0.8
> score RCVD_IN_MSPIKE_H4 0.001 -1.1 0.001 -1.1
> score RCVD_IN_MSPIKE_H5 0.001 -1.5 0.001 -1.5
>
That's the expected scoring distribution. We have in our system a more
generous scoring ranging from -0.5 to -3.5
Re: RCVD_IN_MSPIKE_* strange scoring
Posted by Reindl Harald <h....@thelounge.net>.
Am 10.09.2014 um 13:33 schrieb Matus UHLAR - fantomas:
> On 10.09.14 13:22, Reindl Harald wrote:
>> something is here terrible wrong
>>
>> why does "average" is preferred over "excellent"
>> why do H3 and H4 get a very less WL score?
>
> I'd say, it's because of number of spams/hams received from hosts there.
> seems like only mail from hosts with average reputation appears on the net widely...
not really
[root@localhost:~]$ cat maillog | grep RCVD_IN_MSPIKE_H2 | wc -l
2996
[root@localhost:~]$ cat maillog | grep RCVD_IN_MSPIKE_H3 | wc -l
7494
[root@localhost:~]$ cat maillog | grep RCVD_IN_MSPIKE_H4 | wc -l
2255
[root@localhost:~]$ cat maillog | grep RCVD_IN_MSPIKE_H5 | wc -l
190
>> describe RCVD_IN_MSPIKE_H2 Average reputation (+2)
>> describe RCVD_IN_MSPIKE_H3 Good reputation (+3)
>> describe RCVD_IN_MSPIKE_H4 Very Good reputation (+4)
>> describe RCVD_IN_MSPIKE_H5 Excellent reputation (+5)
>>
>> score RCVD_IN_MSPIKE_H2 0.001 -1.772 0.001 -1.772
>> score RCVD_IN_MSPIKE_H3 0.001 -0.010 0.001 -0.010
>> score RCVD_IN_MSPIKE_H4 0.001 -0.010 0.001 -0.010
>> score RCVD_IN_MSPIKE_H5 0.001 -1.000 0.001 -1.000
Re: RCVD_IN_MSPIKE_* strange scoring
Posted by John Hardin <jh...@impsec.org>.
On Wed, 10 Sep 2014, Matus UHLAR - fantomas wrote:
> On 10.09.14 13:22, Reindl Harald wrote:
>> something is here terrible wrong
>>
>> why does "average" is preferred over "excellent"
>> why do H3 and H4 get a very less WL score?
>
> I'd say, it's because of number of spams/hams received from hosts there.
> seems like only mail from hosts with average reputation appears on the net
> widely...
s/on the net widely/in the masscheck corpora/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #9: Accuracy is relative: most combat
shooting standards will be more dependent on "pucker factor" than
the inherent accuracy of the gun.
-----------------------------------------------------------------------
Tomorrow: the 13rd anniversary of 9/11
Re: RCVD_IN_MSPIKE_* strange scoring
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 10.09.14 13:22, Reindl Harald wrote:
>something is here terrible wrong
>
>why does "average" is preferred over "excellent"
>why do H3 and H4 get a very less WL score?
I'd say, it's because of number of spams/hams received from hosts there.
seems like only mail from hosts with average reputation appears on the net
widely...
>describe RCVD_IN_MSPIKE_H2 Average reputation (+2)
>describe RCVD_IN_MSPIKE_H3 Good reputation (+3)
>describe RCVD_IN_MSPIKE_H4 Very Good reputation (+4)
>describe RCVD_IN_MSPIKE_H5 Excellent reputation (+5)
>
>score RCVD_IN_MSPIKE_H2 0.001 -1.772 0.001 -1.772
>score RCVD_IN_MSPIKE_H3 0.001 -0.010 0.001 -0.010
>score RCVD_IN_MSPIKE_H4 0.001 -0.010 0.001 -0.010
>score RCVD_IN_MSPIKE_H5 0.001 -1.000 0.001 -1.000
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.