You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Micah Anderson <mi...@riseup.net> on 2008/02/23 23:54:19 UTC
Low scores
I feel like a lot of pretty obvious spams are getting through my system
with appallingly low scores. I'm starting to wonder if something may be
wrong with my setup. Looking at what spam tests did fire, I'm frequently
surprised that more rules didn't fire (obvious lotto scams and nigerian
inheritance scams seem to slip right by) and that the score are
surprisingly low... I'd expect satisfyingly high scores for some of
these, but I'm not seeing them.
I'm looking for people to have a look over these spams and give me some
ideas of some possible areas for improvement (either score adjustments,
configuration tweaks, plugins that I should try, etc.).
The spams can be pulled from here: http://micah.riseup.net/spams
Thanks for any ideas,
micah
Re: Low scores
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> Micah Anderson schrieb:
>
> | [surprisingly low scores]
> | The spams can be pulled from here: http://micah.riseup.net/spams
On 24.02.08 02:15, Matthias Leisi wrote:
> Most (all?) of the samples are forwarded through some debian.org
> mechanism. In order for blacklists to take full effect, you should
> configure your trust path (trusted_networks etc) accordingly.
>
> I suggest to wait and see whether and how it gets better before taking
> any additional steps, but Bayes learning may take you the next half mile.
care of such spams should be done on debian servers. At least mailing lists
do filter spam, and afaik they are very effective. For false negatives see
http://www.debian.org/MailingLists/#ads
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.
Re: Low scores
Posted by micah anderson <mi...@riseup.net>.
On Fri, 12 Mar 2010 15:44:21 -1000, Julian Yap <ju...@gmail.com> wrote:
> On Thu, Mar 11, 2010 at 7:58 AM, micah anderson <mi...@riseup.net> wrote:
>
> > On Tue, 9 Mar 2010 11:56:56 -1000, Julian Yap <ju...@gmail.com>
> > wrote:
> > > Just wanted to add that this particular line is incorrect:
> > > meta SC_HAM (USER_IN_WHITELIST||USER_IN_DEF_WHITELIST||
> > > USER_IN_ALL_SPAM_TO||NO_RELAYS||ALL_TRUSTED||USER_IN_BLACKLIST_TO||
> > > USER_IN_BLACKLIST)
> > >
> > > That will have Blacklisted email filters classified as ham.
> >
> > Interesting, thanks for the reply from an old thread.
> >
> > I got this list from:
> > http://wiki.apache.org/spamassassin/ShortcircuitingRuleset which seems
> > to be something that Justin Mason put together. I have CC'd Justin on
> > this email.
> > Which has the difference of also including "SUBJECT_IN_WHITELIST", and
> > "SUBJECT_IN_BLACKLIST"... but now I am wondering if this is the right
> > thing to do.
I actually removed the SUBJECT_IN rules as this makes it so any
individual user who can whitelist/blacklist a subject can shortcircuit
for everyone.
> > I'm very curious about resolving this, it does seem like a bad setup and
> > it is being taken as gospel from the spamassassin wiki, but perhaps
> > there is something that we are not understanding here that Justin can
> > clarify?
> >
>
> I'm pretty sure yours is wrong. You need to take out the the rules which
> apply to Spam in spam short circuiting.
I agree with you, its amazing that this has been wrong on the wiki since
2007! I went to go update the wiki today, and found that you had just
done it. Thanks for doing that!
Micah
Re: Low scores
Posted by Julian Yap <ju...@gmail.com>.
On Fri, Mar 12, 2010 at 3:44 PM, Julian Yap <ju...@gmail.com> wrote:
> On Thu, Mar 11, 2010 at 7:58 AM, micah anderson <mi...@riseup.net> wrote:
>
>> On Tue, 9 Mar 2010 11:56:56 -1000, Julian Yap <ju...@gmail.com>
>> wrote:
>> > Just wanted to add that this particular line is incorrect:
>> > meta SC_HAM (USER_IN_WHITELIST||USER_IN_DEF_WHITELIST||
>> > USER_IN_ALL_SPAM_TO||NO_RELAYS||ALL_TRUSTED||USER_IN_BLACKLIST_TO||
>> > USER_IN_BLACKLIST)
>> >
>> > That will have Blacklisted email filters classified as ham.
>>
>> Interesting, thanks for the reply from an old thread.
>>
>> I got this list from:
>> http://wiki.apache.org/spamassassin/ShortcircuitingRuleset which seems
>> to be something that Justin Mason put together. I have CC'd Justin on
>> this email.
>>
>> This list specifies that this was a good shortcircuit rule to have first
>> because these are non-network-based whitelists, locally-generated
>> messages, messages via a trusted relay chain, simple non-network based
>> blacklists.
>>
>> Mine now reads:
>>
>> meta SC_HAM
>> (USER_IN_WHITELIST||USER_IN_DEF_WHITELIST||USER_IN_ALL_SPAM_TO||SUBJECT_IN_WHITELIST||NO_RELAYS||ALL_TRUSTED||USER_IN_BLACKLIST_TO||USER_IN_BLACKLIST||SUBJECT_IN_BLACKLIST)
>> priority SC_HAM -1000
>> shortcircuit SC_HAM ham
>> score SC_HAM -20
>>
>> Which has the difference of also including "SUBJECT_IN_WHITELIST", and
>> "SUBJECT_IN_BLACKLIST"... but now I am wondering if this is the right
>> thing to do.
>>
>> I'm very curious about resolving this, it does seem like a bad setup and
>> it is being taken as gospel from the spamassassin wiki, but perhaps
>> there is something that we are not understanding here that Justin can
>> clarify?
>>
>
> I'm pretty sure yours is wrong. You need to take out the the rules which
> apply to Spam in spam short circuiting.
>
> Here's what I have for my 'ham' section:
> meta SC_HAM (USER_IN_WHITELIST||USER_IN_ALL_SPAM_TO||ALL_TRUSTED)
>
> priority SC_HAM -1000
> shortcircuit SC_HAM ham
> score SC_HAM -1
>
> Here is my 'spam' section:
> meta SC_SPAM (USER_IN_BLACKLIST_TO||USER_IN_BLACKLIST)
> priority SC_SPAM -950
> shortcircuit SC_SPAM spam
> score SC_SPAM 1
>
As an update to this, I rewrote the rules section of this Wiki page:
http://wiki.apache.org/spamassassin/ShortcircuitingRuleset
- Julian
Re: Low scores
Posted by Julian Yap <ju...@gmail.com>.
On Thu, Mar 11, 2010 at 7:58 AM, micah anderson <mi...@riseup.net> wrote:
> On Tue, 9 Mar 2010 11:56:56 -1000, Julian Yap <ju...@gmail.com>
> wrote:
> > Just wanted to add that this particular line is incorrect:
> > meta SC_HAM (USER_IN_WHITELIST||USER_IN_DEF_WHITELIST||
> > USER_IN_ALL_SPAM_TO||NO_RELAYS||ALL_TRUSTED||USER_IN_BLACKLIST_TO||
> > USER_IN_BLACKLIST)
> >
> > That will have Blacklisted email filters classified as ham.
>
> Interesting, thanks for the reply from an old thread.
>
> I got this list from:
> http://wiki.apache.org/spamassassin/ShortcircuitingRuleset which seems
> to be something that Justin Mason put together. I have CC'd Justin on
> this email.
>
> This list specifies that this was a good shortcircuit rule to have first
> because these are non-network-based whitelists, locally-generated
> messages, messages via a trusted relay chain, simple non-network based
> blacklists.
>
> Mine now reads:
>
> meta SC_HAM
> (USER_IN_WHITELIST||USER_IN_DEF_WHITELIST||USER_IN_ALL_SPAM_TO||SUBJECT_IN_WHITELIST||NO_RELAYS||ALL_TRUSTED||USER_IN_BLACKLIST_TO||USER_IN_BLACKLIST||SUBJECT_IN_BLACKLIST)
> priority SC_HAM -1000
> shortcircuit SC_HAM ham
> score SC_HAM -20
>
> Which has the difference of also including "SUBJECT_IN_WHITELIST", and
> "SUBJECT_IN_BLACKLIST"... but now I am wondering if this is the right
> thing to do.
>
> I'm very curious about resolving this, it does seem like a bad setup and
> it is being taken as gospel from the spamassassin wiki, but perhaps
> there is something that we are not understanding here that Justin can
> clarify?
>
I'm pretty sure yours is wrong. You need to take out the the rules which
apply to Spam in spam short circuiting.
Here's what I have for my 'ham' section:
meta SC_HAM (USER_IN_WHITELIST||USER_IN_ALL_SPAM_TO||ALL_TRUSTED)
priority SC_HAM -1000
shortcircuit SC_HAM ham
score SC_HAM -1
Here is my 'spam' section:
meta SC_SPAM (USER_IN_BLACKLIST_TO||USER_IN_BLACKLIST)
priority SC_SPAM -950
shortcircuit SC_SPAM spam
score SC_SPAM 1
- Julian
Re: Low scores
Posted by micah anderson <mi...@riseup.net>.
On Tue, 9 Mar 2010 11:56:56 -1000, Julian Yap <ju...@gmail.com> wrote:
> Just wanted to add that this particular line is incorrect:
> meta SC_HAM (USER_IN_WHITELIST||USER_IN_DEF_WHITELIST||
> USER_IN_ALL_SPAM_TO||NO_RELAYS||ALL_TRUSTED||USER_IN_BLACKLIST_TO||
> USER_IN_BLACKLIST)
>
> That will have Blacklisted email filters classified as ham.
Interesting, thanks for the reply from an old thread.
I got this list from:
http://wiki.apache.org/spamassassin/ShortcircuitingRuleset which seems
to be something that Justin Mason put together. I have CC'd Justin on
this email.
This list specifies that this was a good shortcircuit rule to have first
because these are non-network-based whitelists, locally-generated
messages, messages via a trusted relay chain, simple non-network based
blacklists.
Mine now reads:
meta SC_HAM (USER_IN_WHITELIST||USER_IN_DEF_WHITELIST||USER_IN_ALL_SPAM_TO||SUBJECT_IN_WHITELIST||NO_RELAYS||ALL_TRUSTED||USER_IN_BLACKLIST_TO||USER_IN_BLACKLIST||SUBJECT_IN_BLACKLIST)
priority SC_HAM -1000
shortcircuit SC_HAM ham
score SC_HAM -20
Which has the difference of also including "SUBJECT_IN_WHITELIST", and
"SUBJECT_IN_BLACKLIST"... but now I am wondering if this is the right
thing to do.
I'm very curious about resolving this, it does seem like a bad setup and
it is being taken as gospel from the spamassassin wiki, but perhaps
there is something that we are not understanding here that Justin can
clarify?
micah
Re: Low scores
Posted by Julian Yap <ju...@gmail.com>.
Just wanted to add that this particular line is incorrect:
meta SC_HAM (USER_IN_WHITELIST||USER_IN_DEF_WHITELIST||
USER_IN_ALL_SPAM_TO||NO_RELAYS||ALL_TRUSTED||USER_IN_BLACKLIST_TO||
USER_IN_BLACKLIST)
That will have Blacklisted email filters classified as ham.
- Julian
On Sun, Feb 24, 2008 at 8:07 AM, Micah Anderson <mi...@riseup.net> wrote:
> On Sun, 24 Feb 2008 02:15:24 +0100, Matthias Leisi wrote:
>
> > Micah Anderson schrieb:
> >
> > | [surprisingly low scores]
> > | The spams can be pulled from here: http://micah.riseup.net/spams
> >
> > Most (all?) of the samples are forwarded through some debian.org
> > mechanism. In order for blacklists to take full effect, you should
> > configure your trust path (trusted_networks etc) accordingly.
>
> My trusted_networks is set to:
>
> trusted_networks 202.12.162.
> trusted_networks 10.0.
> trusted_networks 10.8.0.
>
> The first is trusting everything in that IP space, which we control, the
> second is a private network, and the third is a private network. Am I
> specifying those incorrectly perhaps?
>
> I'm also short-circuiting on trusted-relay chained messages, using the
> following:
>
> meta SC_HAM (USER_IN_WHITELIST||USER_IN_DEF_WHITELIST||
> USER_IN_ALL_SPAM_TO||NO_RELAYS||ALL_TRUSTED||USER_IN_BLACKLIST_TO||
> USER_IN_BLACKLIST)
> priority SC_HAM -1000
> shortcircuit SC_HAM ham
> score SC_HAM -20
>
> But I log in the headers all short-circuit status, with the following
> (and you wont see short-circuiting in the examples i posted):
>
> status
> add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_
> tests=_TESTS_ shortcircuit=_SCTYPE_ autolearn=_AUTOLEARN_
> version=_VERSION_"
>
> Do I have something misconfigured in my trust path? I do have a forward
> from a debian.org email address that occasionally sends me legit email
> (although it does seem like a lot of spam gets through there), but I dont
> believe I have that domain in a whitelist anywhere.
>
> thanks
> micah
>
>
Re: Low scores
Posted by Micah Anderson <mi...@riseup.net>.
On Sun, 24 Feb 2008 02:15:24 +0100, Matthias Leisi wrote:
> Micah Anderson schrieb:
>
> | [surprisingly low scores]
> | The spams can be pulled from here: http://micah.riseup.net/spams
>
> Most (all?) of the samples are forwarded through some debian.org
> mechanism. In order for blacklists to take full effect, you should
> configure your trust path (trusted_networks etc) accordingly.
My trusted_networks is set to:
trusted_networks 202.12.162.
trusted_networks 10.0.
trusted_networks 10.8.0.
The first is trusting everything in that IP space, which we control, the
second is a private network, and the third is a private network. Am I
specifying those incorrectly perhaps?
I'm also short-circuiting on trusted-relay chained messages, using the
following:
meta SC_HAM (USER_IN_WHITELIST||USER_IN_DEF_WHITELIST||
USER_IN_ALL_SPAM_TO||NO_RELAYS||ALL_TRUSTED||USER_IN_BLACKLIST_TO||
USER_IN_BLACKLIST)
priority SC_HAM -1000
shortcircuit SC_HAM ham
score SC_HAM -20
But I log in the headers all short-circuit status, with the following
(and you wont see short-circuiting in the examples i posted):
status
add_header all Status "_YESNO_, score=_SCORE_ required=_REQD_
tests=_TESTS_ shortcircuit=_SCTYPE_ autolearn=_AUTOLEARN_
version=_VERSION_"
Do I have something misconfigured in my trust path? I do have a forward
from a debian.org email address that occasionally sends me legit email
(although it does seem like a lot of spam gets through there), but I dont
believe I have that domain in a whitelist anywhere.
thanks
micah
Re: Low scores
Posted by Matthias Leisi <ma...@leisi.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Micah Anderson schrieb:
| [surprisingly low scores]
| The spams can be pulled from here: http://micah.riseup.net/spams
Most (all?) of the samples are forwarded through some debian.org
mechanism. In order for blacklists to take full effect, you should
configure your trust path (trusted_networks etc) accordingly.
I suggest to wait and see whether and how it gets better before taking
any additional steps, but Bayes learning may take you the next half mile.
- -- Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
iD8DBQFHwMUsxbHw2nyi/okRAsb3AKCo5T0UND4ThcT0DXapsrZUqArkAgCgzHj1
VpQPVcpnV47gXcLkn9TGs2E=
=iEDy
-----END PGP SIGNATURE-----
Re: Low scores
Posted by Micah Anderson <mi...@riseup.net>.
On Sat, 23 Feb 2008 18:52:01 -0800, Loren Wilton wrote:
>> I'm looking for people to have a look over these spams and give me some
>> ideas of some possible areas for improvement (either score adjustments,
>> configuration tweaks, plugins that I should try, etc.).
>>
>> The spams can be pulled from here: http://micah.riseup.net/spams
>
> It appears to me you have just posted the body text for these spams.
> Much of the spam catching is done off of the header information, so
> knowing that would help.
Check again, I posted the entire raw maildir message, which includes the
headers.
> Also, knowing which tests did and didn't hit on your system would give
> us an idea what you might be missing.
You can see which tests hit in the headers of these emails.
> That said, do you use the SARE rules? There are a number of rules there
> that help catch 419's.
Yes, I am using the openprotect channel.
micah
Re: Low scores
Posted by Loren Wilton <lw...@earthlink.net>.
> I'm looking for people to have a look over these spams and give me some
> ideas of some possible areas for improvement (either score adjustments,
> configuration tweaks, plugins that I should try, etc.).
>
> The spams can be pulled from here: http://micah.riseup.net/spams
It appears to me you have just posted the body text for these spams. Much
of the spam catching is done off of the header information, so knowing that
would help.
Also, knowing which tests did and didn't hit on your system would give us an
idea what you might be missing.
That said, do you use the SARE rules? There are a number of rules there
that help catch 419's.
Loren
Re: Low scores
Posted by Micah Anderson <mi...@riseup.net>.
* Michael Scheidell <sc...@secnap.net> [080223 13:46]:
> > I feel like a lot of pretty obvious spams are getting through my system
> > with appallingly low scores. I'm starting to wonder if something may be
> > wrong with my setup. Looking at what spam tests did fire, I'm frequently
> > surprised that more rules didn't fire (obvious lotto scams and nigerian
> > inheritance scams seem to slip right by) and that the score are
> > surprisingly low... I'd expect satisfyingly high scores for some of
> > these, but I'm not seeing them.
>
> You using any SARES' rules? If you have the cpu cycles, try that. Also make
> sure you have latest SpamAssassin and are also running sa-update. If you
> use sa-compile, make sure you run it every time you update rules.
I'm running version 3.2.3-0.volatile1 on Debian etch (it supposedly
has a number of backported fixes from 3.2.4). I run sa-update every
night on two channels: saupdates.openprotect.com (which contains the
recommended rules in the SARE), and updates.spamassassin.org. If there
is an update, I run sa-compile and then restart spamassassin.
Micah
Re: Low scores
Posted by Michael Scheidell <sc...@secnap.net>.
> From: Micah Anderson <mi...@riseup.net>
> Date: Sat, 23 Feb 2008 22:54:19 +0000 (UTC)
> To: <us...@spamassassin.apache.org>
> Subject: Low scores
>
>
> I feel like a lot of pretty obvious spams are getting through my system
> with appallingly low scores. I'm starting to wonder if something may be
> wrong with my setup. Looking at what spam tests did fire, I'm frequently
> surprised that more rules didn't fire (obvious lotto scams and nigerian
> inheritance scams seem to slip right by) and that the score are
> surprisingly low... I'd expect satisfyingly high scores for some of
> these, but I'm not seeing them.
You using any SARES' rules? If you have the cpu cycles, try that. Also make
sure you have latest SpamAssassin and are also running sa-update. If you
use sa-compile, make sure you run it every time you update rules.
--
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBsd SpamAssassin Ports maintainer
Charter member, ICSA labs anti-spam consortium
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_________________________________________________________________________