SARE suggestion

[jdow <jd...@earthlink.net>]

It seems there are a lot of anti-spam headers which if they are seen
on incoming email is a fairly good indication that the message is
spam. Kaspersky Anti-Spam is one such puppy with its often appearing
X-Spamtest-Munged-Info header. That appears in exactly one folder on
my system with a 3 gigabyte mail corpus, the Spam directory.

Now, it may be that on a given system spam may get filtered twice
So a SARE rule set with all known anti-spam headers in it with a
clearly delineated set of score overrides that can be uncommented
is called for. That way somebody stuck behind a KAS system who runs
his own spamassassin can still use the rule with the X-SpamTest-Info
score set to zero. Most users will simply leave the rule on with a
fairly secure medium to high score and capture a large chunk of spam
very reliably.

{^_^}

Re: SARE suggestion

[jdow <jd...@earthlink.net>]

From: "Robert Menschel" <Ro...@Menschel.net>

> Hello jdow,
> 
> Friday, March 25, 2005, 3:29:04 AM, you wrote:
> 
> j> It seems there are a lot of anti-spam headers which if they are seen
> j> on incoming email is a fairly good indication that the message is
> j> spam. Kaspersky Anti-Spam is one such puppy with its often appearing
> j> X-Spamtest-Munged-Info header. That appears in exactly one folder on
> j> my system with a 3 gigabyte mail corpus, the Spam directory.
> 
> j> Now, it may be that on a given system spam may get filtered twice
> j> So a SARE rule set with all known anti-spam headers in it with a
> j> clearly delineated set of score overrides that can be uncommented
> j> is called for. That way somebody stuck behind a KAS system who runs
> j> his own spamassassin can still use the rule with the X-SpamTest-Info
> j> score set to zero. Most users will simply leave the rule on with a
> j> fairly secure medium to high score and capture a large chunk of spam
> j> very reliably.
> 
> Good suggestion.
> 
> Since we SARE Ninjas are obviously "stuck behind" SA systems, we don't
> often see these additional headers.  If you (and others) can send
> sample headers to me, sare@menschel.net, or header@rulesemporium.com,
> I'll collect them, validate them through mass-checks, and hopefully
> come out with a "antispamspam" (?) rules file. (Or maybe this should
> be a new file inside the 70_sare_header*.cf family?)
> 
> Bob Menschel

The chief trick here is to be able to turn off the individual tests for
a specific anti-spam engine if they are likely to be seen internally
as from trips through two traps in series.

{^_^}

Re: SARE suggestion

[Robert Menschel <Ro...@Menschel.net>]

Hello jdow,

Friday, March 25, 2005, 3:29:04 AM, you wrote:

j> It seems there are a lot of anti-spam headers which if they are seen
j> on incoming email is a fairly good indication that the message is
j> spam. Kaspersky Anti-Spam is one such puppy with its often appearing
j> X-Spamtest-Munged-Info header. That appears in exactly one folder on
j> my system with a 3 gigabyte mail corpus, the Spam directory.

j> Now, it may be that on a given system spam may get filtered twice
j> So a SARE rule set with all known anti-spam headers in it with a
j> clearly delineated set of score overrides that can be uncommented
j> is called for. That way somebody stuck behind a KAS system who runs
j> his own spamassassin can still use the rule with the X-SpamTest-Info
j> score set to zero. Most users will simply leave the rule on with a
j> fairly secure medium to high score and capture a large chunk of spam
j> very reliably.

Good suggestion.

Since we SARE Ninjas are obviously "stuck behind" SA systems, we don't
often see these additional headers.  If you (and others) can send
sample headers to me, sare@menschel.net, or header@rulesemporium.com,
I'll collect them, validate them through mass-checks, and hopefully
come out with a "antispamspam" (?) rules file. (Or maybe this should
be a new file inside the 70_sare_header*.cf family?)

Bob Menschel