You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Cecil Westerhof <Ce...@decebal.nl> on 2012/06/09 11:52:58 UTC
Both rules should not be executed
A few of the mails on this group came in my spam folder because of:
2.9 SPOOF_COM2OTH URI: URI contains ".com" in middle
2.0 SPOOF_COM2COM URI: URI contains ".com" in middle and end
Personally I think that the second one should not be used when the
first is already triggered.
--
Cecil Westerhof
Senior Software Engineer
LinkedIn: http://www.linkedin.com/in/cecilwesterhof
Re: Both rules should not be executed
Posted by Cecil Westerhof <Ce...@decebal.nl>.
Op zaterdag 9 jun 2012 14:01 CEST schreef RW:
> On Sat, 09 Jun 2012 11:52:58 +0200
> Cecil Westerhof wrote:
>
>> A few of the mails on this group came in my spam folder because of:
>> 2.9 SPOOF_COM2OTH URI: URI contains ".com" in middle
>> 2.0 SPOOF_COM2COM URI: URI contains ".com" in middle and end
>>
>> Personally I think that the second one should not be used when the
>> first is already triggered.
>
> That's equivalent to removing the second rule completely.
>
> It's clearly not an accidental overlap. The implication is that the
> former is a good spam indicator and the latter a virtually certain
> one. They could be rewritten as
>
> 2.9 SPOOF_COM2NOTCOM
> 4.9 SPOOF_COM2COM
>
>
> There's nothing wrong with the way the rules are implemented, but the
> 4.9 score seems very high.
Okay, the combination could be useful, but the scores are to high then.
--
Cecil Westerhof
Senior Software Engineer
LinkedIn: http://www.linkedin.com/in/cecilwesterhof
Re: Both rules should not be executed
Posted by RW <rw...@googlemail.com>.
On Sat, 09 Jun 2012 11:52:58 +0200
Cecil Westerhof wrote:
> A few of the mails on this group came in my spam folder because of:
> 2.9 SPOOF_COM2OTH URI: URI contains ".com" in middle
> 2.0 SPOOF_COM2COM URI: URI contains ".com" in middle and end
>
> Personally I think that the second one should not be used when the
> first is already triggered.
That's equivalent to removing the second rule completely.
It's clearly not an accidental overlap. The implication is that the
former is a good spam indicator and the latter a virtually certain
one. They could be rewritten as
2.9 SPOOF_COM2NOTCOM
4.9 SPOOF_COM2COM
There's nothing wrong with the way the rules are implemented, but the
4.9 score seems very high.
Re: Both rules should not be executed
Posted by Benny Pedersen <me...@junc.org>.
Den 2012-06-09 11:52, Cecil Westerhof skrev:
> A few of the mails on this group came in my spam folder because of:
> 2.9 SPOOF_COM2OTH URI: URI contains ".com" in middle
> 2.0 SPOOF_COM2COM URI: URI contains ".com" in middle and
> end
>
> Personally I think that the second one should not be used when the
> first is already triggered.
meta SPOOF_COMPENSATE (SPOOF_COM2OTH && SPOOF_COM2COM)
describe SPOOF_COMPENSATE Meta: SPOOF_COM2OTH && SPOOF_COM2COM
score SPOOF_COMPENSATE -2.45
that way its scored lower if both is hitting, but still get the single
high score if just one hits