One SPAM that got through

["--[ UxBoD ]--" <ux...@splatnix.net>]

Hi,

I just had this message get through :-

Subject: CONTACT GLOBAL COMPANY FOR YOUR $950,000.00

My Dear Good Friend,

 I have Paid the fee for your Cheque Draft. But the manager of
 Eko Bank Benin told me that before the check will get to you
 that it will expire. So I told him to cash the $950,000.00.
 All the necessary arrangement of delivering the $950,000.00
 in cash was made with GLOBAL MAX COURIER COMPANY.

These are the informations they need to delivery your package to you.
ATTN: DR.JOHN AGBALA
EMAIL:globalmaxservicebenin1@yahoo.fr  )

Please, Send them your contacts information to able them locate you
immediately they arrived in your country with your BOX .This is what
they need from you.

1. YOUR FULL NAME
2.YOUR HOME ADDRESS.
3.YOUR CURRENT HOME TELEPHONE NUMBER.
4.YOUR CURRENT OFFICE TELEPHONE.
5.A COPY OF YOUR PICTURE

Please make sure you send this needed informations to the Director
general of Global MAX Courier Company DR.JOHN AGBALA with the
address given to you.

Note. The Global Express courier company doesn't know the contents of
the Box. I registered it as a Box of an Africa cloth. They don't know
it contents money. This is to avoid them delaying with the Box.

Don't let them know that is money that is in that Box. I am waiting for
your
urgent response. You can even call the Director of Global MAX Courier
Company with this line +229-9300-4935.

Thanks and Remain Blessed.

DR. Nnoli ugo 

and it only scored 5.6.   These are the rules it hit :-

1.23	ADVANCE_FEE_2	 
0.00	BAYES_50	 
0.72	SARE_URGBIZ	Contains urgent matter
-0.00	SPF_PASS	 
2.08	SUBJ_ALL_CAPS	 
1.58	URG_BIZ

I have my SA SPAM score to trigger on 6 and above.  Do you think that is to high ? or anyone know of a ruleset to raise the score on these ?

TIA

Regards,

-- 
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84
// Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84
// Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: One SPAM that got through

["--[ UxBoD ]--" <ux...@splatnix.net>]

----- "Matt Kettler" <mk...@verizon.net> wrote:

--[ UxBoD ]-- wrote:
> Hi,
>
> I just had this message get through :-
>
>   
<snip>
> and it only scored 5.6.   These are the rules it hit :-
>
> 1.23	ADVANCE_FEE_2	 
> 0.00	BAYES_50	 
> 0.72	SARE_URGBIZ	Contains urgent matter
> -0.00	SPF_PASS	 
> 2.08	SUBJ_ALL_CAPS	 
> 1.58	URG_BIZ
>   
Looks like you might want to do some bayes training on that message. All 
the capitalized text should be an easy target.
> I have my SA SPAM score to trigger on 6 and above.  Do you think that is to high ? or anyone know of a ruleset to raise the score on these ?
>   

Too high? no. Too high to expect there to be no missed spam, yes.

Raising your threshold reduces false positives (nonspam tagged as spam), 
but it also increases your false negatives (spam that's missed). 
Lowering your score threshold has the opposite effect.

When picking a threshold, you're making a trade-off.. Pick one based on 
what's important to you. Some folks run as high as 8.0, and others as 
low as 2.0. Both numbers are pretty extreme, but you get the idea.

For reference, in the set3 mass-checks, going from 5.0 to 6.0 more 
halved the FPs (down to 45% of what they were at 5.0), but also 
increased FNs by 78%.

The default 5.0 score is already pretty biased towards favoring FPs over 
FN's. The score assigner tries to tune the scores so at 5.0 there's 
roughly 100 times more FNs than FPs, while keeping both as low as 
possible. In practice it's more like 50 times more, but that's what it's 
trying for..

to quote STATISTICS-set3.txt from SA 3.2.4:

# SUMMARY for threshold 5.0:
# Correctly non-spam:  67508  99.94%
# Correctly spam:     117303  98.51%
# False positives:        42  0.06%
# False negatives:      1780  1.49%


>

Hi Matt,

Many thanks, that was a very helpful description.

Regards,

-- 
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84
// Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84
// Phone: +44 845 869 2749 SIP Phone: uxbod@sip.splatnix.net
>   


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: One SPAM that got through

[Matt Kettler <mk...@verizon.net>]

--[ UxBoD ]-- wrote:
> Hi,
>
> I just had this message get through :-
>
>   
<snip>
> and it only scored 5.6.   These are the rules it hit :-
>
> 1.23	ADVANCE_FEE_2	 
> 0.00	BAYES_50	 
> 0.72	SARE_URGBIZ	Contains urgent matter
> -0.00	SPF_PASS	 
> 2.08	SUBJ_ALL_CAPS	 
> 1.58	URG_BIZ
>   
Looks like you might want to do some bayes training on that message. All 
the capitalized text should be an easy target.
> I have my SA SPAM score to trigger on 6 and above.  Do you think that is to high ? or anyone know of a ruleset to raise the score on these ?
>   

Too high? no. Too high to expect there to be no missed spam, yes.

Raising your threshold reduces false positives (nonspam tagged as spam), 
but it also increases your false negatives (spam that's missed). 
Lowering your score threshold has the opposite effect.

When picking a threshold, you're making a trade-off.. Pick one based on 
what's important to you. Some folks run as high as 8.0, and others as 
low as 2.0. Both numbers are pretty extreme, but you get the idea.

For reference, in the set3 mass-checks, going from 5.0 to 6.0 more 
halved the FPs (down to 45% of what they were at 5.0), but also 
increased FNs by 78%.

The default 5.0 score is already pretty biased towards favoring FPs over 
FN's. The score assigner tries to tune the scores so at 5.0 there's 
roughly 100 times more FNs than FPs, while keeping both as low as 
possible. In practice it's more like 50 times more, but that's what it's 
trying for..

to quote STATISTICS-set3.txt from SA 3.2.4:

# SUMMARY for threshold 5.0:
# Correctly non-spam:  67508  99.94%
# Correctly spam:     117303  98.51%
# False positives:        42  0.06%
# False negatives:      1780  1.49%


>
>