You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matus UHLAR - fantomas <uh...@fantomas.sk> on 2019/04/29 13:50:18 UTC
DOS_OUTLOOK_TO_MX dependency on T_DOS_OUTLOOK_TO_MX_IMAGE
Hello,
I see that DOS_OUTLOOK_TO_MX is complementary to T_DOS_OUTLOOK_TO_MX_IMAGE:
meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE
meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA && __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
I am not sure whether it's wise to have rule depending on test (T_) rule.
it also lowers final score, because:
score DOS_OUTLOOK_TO_MX 2.636 1.449 1.737 2.845
while T_ only has 0.01
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
Re: DOS_OUTLOOK_TO_MX dependency on T_DOS_OUTLOOK_TO_MX_IMAGE
Posted by John Hardin <jh...@impsec.org>.
On Mon, 29 Apr 2019, Matus UHLAR - fantomas wrote:
>> On Mon, 29 Apr 2019, Matus UHLAR - fantomas wrote:
>>> I see that DOS_OUTLOOK_TO_MX is complementary to
>>> T_DOS_OUTLOOK_TO_MX_IMAGE:
>>>
>>> meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA &&
>>> __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE
>>>
>>> meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA &&
>>> __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
>
>> That sort of thing is intentional to avoid double-scoring a single email on
>> two very similar rules (typically a more-general rule and a more-specific
>> verison of that rule, as is the case here), and to reduce the impact on
>> scoring of a pair of rules where one hits more low-scoring spam than the
>> other (i.e. to try to keep the more-specific rule's score high regardless
>> of the profile of the more-generic rule).
>
> I understand the concept, but it is imho broken by having the latter scored
> 0.01 by default
Maybe. The _IMAGE version's recent S/O is 0.005 - 0.006, so having a FYI
score for that variant doesn't (seem) to be too painful - presuming the
masscheck corpora reasonably reflect reality.
In fact, at the moment, that exclusion actually seems to be *improving*
the S/O of the more-generic variant.
>>> I am not sure whether it's wise to have rule depending on test (T_) rule.
>
> On 29.04.19 07:49, John Hardin wrote:
>> That is potentially a concern.
>>
>> In this situation it would be better to make the second rule a combination
>> of a subrule (used in the exclusion) and a scored rule (which at the moment
>> is performing too poorly to promote and publish).
>
> poorly compatible to what? I wouldn't object against score 0.01 if it came
> from masscheck. But DOS_OUTLOOK_TO_MX currently scores significantly and I
> wonder whether it's enough for client to add image to push score down to
> 0.01
Perhaps for a while. If that started to be widespread then the performance
of the _IMAGE variant would improve, probably enough to be published.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If you are "fighting for social justice," then you are defining
yourself as someone who considers regular old everyday
*equal* justice to be something you don't want. -- GOF at TSM
-----------------------------------------------------------------------
2 days until May Day - Remember 110 million people murdered by Communism
Re: DOS_OUTLOOK_TO_MX dependency on T_DOS_OUTLOOK_TO_MX_IMAGE
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On Mon, 29 Apr 2019, Matus UHLAR - fantomas wrote:
>>I see that DOS_OUTLOOK_TO_MX is complementary to T_DOS_OUTLOOK_TO_MX_IMAGE:
>>
>>meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA &&
>>__DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE
>>
>>meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA &&
>>__DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
>That sort of thing is intentional to avoid double-scoring a single
>email on two very similar rules (typically a more-general rule and a
>more-specific verison of that rule, as is the case here), and to
>reduce the impact on scoring of a pair of rules where one hits more
>low-scoring spam than the other (i.e. to try to keep the more-specific
>rule's score high regardless of the profile of the more-generic rule).
I understand the concept, but it is imho broken by having the latter scored
0.01 by default
>>I am not sure whether it's wise to have rule depending on test (T_) rule.
On 29.04.19 07:49, John Hardin wrote:
>That is potentially a concern.
>
>In this situation it would be better to make the second rule a
>combination of a subrule (used in the exclusion) and a scored rule
>(which at the moment is performing too poorly to promote and publish).
poorly compatible to what? I wouldn't object against score 0.01 if it came
from masscheck. But DOS_OUTLOOK_TO_MX currently scores significantly and I
wonder whether it's enough for client to add image to push score down to
0.01
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.
Re: DOS_OUTLOOK_TO_MX dependency on T_DOS_OUTLOOK_TO_MX_IMAGE
Posted by John Hardin <jh...@impsec.org>.
On Mon, 29 Apr 2019, Matus UHLAR - fantomas wrote:
> Hello,
>
> I see that DOS_OUTLOOK_TO_MX is complementary to T_DOS_OUTLOOK_TO_MX_IMAGE:
>
> meta DOS_OUTLOOK_TO_MX __ANY_OUTLOOK_MUA && !__OE_MUA &&
> __DOS_DIRECT_TO_MX && !T_DOS_OUTLOOK_TO_MX_IMAGE
>
> meta T_DOS_OUTLOOK_TO_MX_IMAGE __ANY_OUTLOOK_MUA && !__OE_MUA &&
> __DOS_DIRECT_TO_MX && __ANY_IMAGE_ATTACH
That sort of thing is intentional to avoid double-scoring a single email
on two very similar rules (typically a more-general rule and a
more-specific verison of that rule, as is the case here), and to reduce
the impact on scoring of a pair of rules where one hits more low-scoring
spam than the other (i.e. to try to keep the more-specific rule's score
high regardless of the profile of the more-generic rule).
> I am not sure whether it's wise to have rule depending on test (T_) rule.
That is potentially a concern.
In this situation it would be better to make the second rule a combination
of a subrule (used in the exclusion) and a scored rule (which at the
moment is performing too poorly to promote and publish).
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You do not examine legislation in the light of the benefits it
will convey if properly administered, but in the light of the
wrongs it would do and the harms it would cause if improperly
administered. -- Lyndon B. Johnson
-----------------------------------------------------------------------
2 days until May Day - Remember 110 million people murdered by Communism