Re: Why is ATT.net comimg up as spam due to numeric helo? And whyis there no report attachment?

[Matt Kettler <mk...@evi-inc.com>]

At 03:00 PM 8/6/2004, jdow wrote:
>  I'd expect 3.0-pre2 would be about the same. So where DID
>that 3.5 score come from? Did the fellow reassign it in his local.cf?
>(And if so, why is he bugging the list with it?)

Why would you expect it to be about the same?

Hint: if you think a rule's score is unlikely to change between two SA 
versions, even if that individual rule did not change, you're grossly 
over-simplifying how the GA process works.

EVERY rule in the ruleset affects the score assigned to every other rule. 
The GA works by approximating a solution to an equation in hundreds of 
variables. The rule scores aren't independent variables, they are 
simultaneous variables of a single equation. Thus the correct score for a 
rule is not a function of the rule alone, but also its relationships with 
other rules when the entire ruleset works together. Delete one rule and all 
the optimal scores are likely to shift, and some will shift radically.

It's like a mathematical ecosystem, when a hole is created everything 
shifts around as rules increase in score to fill the gap. These increases 
end up causing false positive cases, which causes other scores to fall, 
causing false negatives which make still more rules rise in score.. repeat 
until the cascade of side effects has died down to a semi-stable state and 
about 90% of the scores have changed.



 From SA 3.0.0-pre2
         score RCVD_NUMERIC_HELO 1.014 1.645 3.320 3.382

And as a side note, the claimed score is 3.4 not 3.5, so it appears the 
poster is using the defaults.