razor?

[Robert Boyl <ro...@gmail.com>]

Hi, everyone

Just wondering, whats your thoughts on Razor?

Havent analysed big amount of emails yet, but Ive had a few cases where it
causes very strange false positives that make no sense.

and adds a lot of points...

RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43, RAZOR2_CHECK
1.73

It says on their site " Detection is done with statistical and randomized
signatures that efficiently spot mutating spam content. "

For example those scores were for a totally legit email that had some
screenshots embedded in the email...

Also, how to report FP?

Thanks.
Rob

Re: razor?

[RW <rw...@googlemail.com>]

On Sat, 10 Mar 2018 09:39:20 +0100
Matus UHLAR - fantomas wrote:


> >>>For example those scores were for a totally legit email that had
> >>>some screenshots embedded in the email...  
> 
> some screenshots? afaik razor only work on text parts, so short mail
> is quite possible to be detected (as some people report image-only
> spam)

As I said, razor uses a combination of URI domains and text size.

Very short emails are all counted as the same size, which makes them
more likely to FP, but an image-only spam, without a URI, cannot be
listed in razor.

Re: razor?

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

>>On Fri, 9 Mar 2018 11:09:40 -0300
>>Robert Boyl wrote:
>>>Just wondering, whats your thoughts on Razor?

razor is great at spam detection.

>>>It says on their site " Detection is done with statistical and
>>>randomized signatures that efficiently spot mutating spam content. "
>>>
>>>For example those scores were for a totally legit email that had some
>>>screenshots embedded in the email...

some screenshots? afaik razor only work on text parts, so short mail is
quite possible to be detected (as some people report image-only spam)

>>>Also, how to report FP?

razor-revoke -d -dl=2 -f false-positives

where "false-positives" is a mbox file format.

On 09.03.18 09:26, David Jones wrote:
>RAZOR like DCC and PYZOR shouldn't be used as a sole source of 
>determining spam. 

especially DCC, since it measures bulkiness, not spamminess.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease

Re: razor?

[Ian Zimmerman <it...@very.loosely.org>]

On 2018-03-09 09:26, David Jones wrote:

> RAZOR like DCC and PYZOR shouldn't be used as a sole source of
> determining spam.  These are indicators that combine with other rule
> hits and scores to be one of many factors.  If the score was 10 or
> more then you would worry about reporting FPs.

Well, _someone_ has to report the FP (I think Razor, confusingly, terms
that "whitelisting") for the misclassification to be reversed.  That's
how Razor is supposed to work - it is a reputation service, both
positive and negative, not just a list of badness.  Making the score
less than a poison pill helps _you_ avoid a FP but it leaves the wrong
result in place for other recipients.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.

Re: razor?

[David Jones <dj...@ena.com>]

On 03/09/2018 08:58 AM, RW wrote:
> On Fri, 9 Mar 2018 11:09:40 -0300
> Robert Boyl wrote:
> 
>> Hi, everyone
>>
>> Just wondering, whats your thoughts on Razor?
>>
>> Havent analysed big amount of emails yet, but Ive had a few cases
>> where it causes very strange false positives that make no sense.
>>
>> and adds a lot of points...
>>
>> RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43,
>> RAZOR2_CHECK 1.73
> 
> 
> That's out of date
> 
> score RAZOR2_CHECK 0 1.729 0 0.922 # n=0
> score RAZOR2_CF_RANGE_51_100 0 2.430 0 1.886 # n=0 n=2
> 
> 
>> It says on their site " Detection is done with statistical and
>> randomized signatures that efficiently spot mutating spam content. "
>>
>> For example those scores were for a totally legit email that had some
>> screenshots embedded in the email...
> 
> It's nothing to do with that, currently it's based on a combination of
> text size and URI domains, it's not far-off being a URIBL.
> 
> 
>> Also, how to report FP?
> 

RAZOR like DCC and PYZOR shouldn't be used as a sole source of 
determining spam.  These are indicators that combine with other rule 
hits and scores to be one of many factors.  If the score was 10 or more 
then you would worry about reporting FPs.

If RAZOR scores alone are pushing legit mail over the block threshold, 
then you need to do something like whitelist_auth the sender if they are 
trustworthy and have good SPF or DKIM, train the Bayes DB better, or add 
some custom whitelist rules to bring the score down below 5 -- assuming 
you still have the default block threshold at 5.


> In theory (if it hasn't fallen-off) you can do it through SA (spamc or
> spamassassin) or razor-revoke after registering via razor-admin,
> but you would need to build-up a reputation before it carries any
> weight. There may be something on the cloudmark site as well.
> 

-- 
David Jones

Re: razor?

[RW <rw...@googlemail.com>]

On Fri, 9 Mar 2018 11:09:40 -0300
Robert Boyl wrote:

> Hi, everyone
> 
> Just wondering, whats your thoughts on Razor?
> 
> Havent analysed big amount of emails yet, but Ive had a few cases
> where it causes very strange false positives that make no sense.
> 
> and adds a lot of points...
> 
> RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43,
> RAZOR2_CHECK 1.73


That's out of date

score RAZOR2_CHECK 0 1.729 0 0.922 # n=0
score RAZOR2_CF_RANGE_51_100 0 2.430 0 1.886 # n=0 n=2


> It says on their site " Detection is done with statistical and
> randomized signatures that efficiently spot mutating spam content. "
> 
> For example those scores were for a totally legit email that had some
> screenshots embedded in the email...

It's nothing to do with that, currently it's based on a combination of
text size and URI domains, it's not far-off being a URIBL.


> Also, how to report FP?

In theory (if it hasn't fallen-off) you can do it through SA (spamc or
spamassassin) or razor-revoke after registering via razor-admin,
but you would need to build-up a reputation before it carries any
weight. There may be something on the cloudmark site as well.