You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "ROY,RHETT G" <IS...@womans.com> on 2005/04/15 18:07:46 UTC

Results of adding SARE rules

I recently added the conservative (mass-check testing hit ONLY spam) version
of all the SARE rules that had been updated in 2005. I figured that was as
good a place as any to start. So far so good. Thanks to the Ninjas.

Below are some related stats from my current maillog. I don't make any
claims to their validity or accuracy. Server config is spamd (SA 3.0.2)
being called as a content filter from Postfix. Postfix relays to a MS
Exchange server. 

Anyone have observations or stats to compare?

Rhett Roy

top 10 individual SARE rule hits
   1654 SARE_FROM_SPAM_WORD3
    482 SARE_FROM_SPAM_WORD1
    434 SARE_HEAD_SPAM
    323 SARE_TOCC_COMBO1
    302 SARE_URI_NO_THANKS
    302 SARE_FROM_SPAM_WORD4
    256 SARE_BOUNDARY_09
    254 SARE_MSGID_IP
    250 SARE_HEAD_XBEEN
    204 SARE_REPLY_SPAMWORD1
total individual SARE rules that had one or more hits
    277
total hits by SARE rule file
    565 70_sare_header0.cf
    200 70_sare_genlsubj0.cf
    191 70_sare_specific.cf
    130 70_sare_html0.cf
     88 70_sare_evilnum0.cf
     45 70_sare_uri0.cf
     12 99_sare_fraud_post25x.cf
top 50 rule hits (SARE or other)
   4898 RAZOR2_CF_RANGE_51_100
   4814 RAZOR2_CHECK
   3954 HTML_MESSAGE
   3525 URIBL_SBL
   3262 BAYES_99
   3259 URIBL_OB_SURBL
   2868 NO_RDNS
   2815 DCC_CHECK
   2541 URIBL_WS_SURBL
   2499 DIGEST_MULTIPLE
   1831 URIBL_SC_SURBL
   1654 MIME_HTML_ONLY
   1515 MSGID_FROM_MTA_ID
   1227 URIBL_AB_SURBL
   1147 BAYES_50
   1012 HTML_90_100
    994 HTML_80_90
    950 HTML_IMAGE_RATIO_02
    750 HTML_FONT_BIG
    725 DRUGS_ERECTILE
    682 MPART_ALT_DIFF
    612 MIME_QP_LONG_LINE
    612 DNS_FROM_AHBL_RHSBL
    606 HTML_WEB_BUGS
    603 HTML_TEXT_AFTER_BODY
    597 DNS_FROM_RFC_POST
    569 HTML_TEXT_AFTER_HTML
    566 SARE_FROM_SPAM_WORD3
    532 NO_RDNS2
    515 MARKETING_PARTNERS
    503 EXCUSE_1
    500 RCVD_NUMERIC_HELO
    473 EXCUSE_3
    459 HTML_TAG_EXIST_TBODY
    414 SARE_HEAD_SPAM
    400 BAYES_00
    398 RCVD_HELO_IP_MISMATCH
    382 HTML_IMAGE_ONLY_08
    382 EXCUSE_7
    374 HTML_IMAGE_RATIO_04
    373 PRIORITY_NO_NAME
    354 HTML_40_50
    318 BAYES_80
    310 HTML_50_60
    310 DRUGS_ERECTILE_OBFU
    302 SARE_URI_NO_THANKS
    299 HTML_NONELEMENT_00_10
    298 REMOVE_PAGE
    296 MIME_HTML_MOSTLY
 
-SPAM blocked by RBL today-
         3436 - sbl-xbl.spamhaus.org
          565 - dnsbl.sorbs.net
          535 - dnsbl.njabl.org
Total SMTP Connections
6008
Total Rejected By RBL
4803
Total Flagged By SA
431
Total Delivered
774
Percentage Delivered
12

Re: Results of adding SARE rules

Posted by Raymond Dijkxhoorn <ra...@prolocation.net>.

Hi!

>   4898 RAZOR2_CF_RANGE_51_100
>   4814 RAZOR2_CHECK
>   3954 HTML_MESSAGE
>   3525 URIBL_SBL
>   3262 BAYES_99
>   3259 URIBL_OB_SURBL
>   2868 NO_RDNS
>   2815 DCC_CHECK
>   2541 URIBL_WS_SURBL
>   2499 DIGEST_MULTIPLE
>   1831 URIBL_SC_SURBL
>   1654 MIME_HTML_ONLY
>   1515 MSGID_FROM_MTA_ID
>   1227 URIBL_AB_SURBL

It looks you are missing JP_SURBL, might be good to add it sinec its in 
the multi list also...

urirhssub URIBL_JP_SURBL  multi.surbl.org.        A   64
body      URIBL_JP_SURBL  eval:check_uridnsbl('URIBL_JP_SURBL')
describe  URIBL_JP_SURBL  Has URI in JP at http://www.surbl.org/lists.html
tflags    URIBL_JP_SURBL  net

score URIBL_JP_SURBL    4.0

Something like that.

Bye,
Raymond.