You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by pipjg <sl...@hotmail.co.uk> on 2011/11/21 12:11:48 UTC
Return Path Whitelists, RP_SAFE, RP_CERTIFIED, RP_MATCHES
Hi,
Was wondering if could have some advice, and I probably know what I'm going
to do anyway, just wanted a few others opinions..
I've been analysing a load of mail which is having it's SA score reduced by
what looks like paid for whitelists. A view of the SA scores I'm seeing is:
Rule Total Ham % Spam %
RP_MATCHES_RCVD 161,165 142,559 88.5 18,606 11.5
RCVD_IN_RP_SAFE 22,405 22,399 100 6 0
RCVD_IN_RP_CERTIFIED 22,130 22,125 100 5 0
RCVD_IN_RP_RNBL 12,794 43 0.3 12,751 99.7
T_RP_MATCHES_RCVD 7,080 5,072 71.6 2,008 28.4
Now looking at virtualls ALL of these they look like SPAM.
Now the scores for this GASH are as follows:
RP_MATCHES_RCVD -2.023 -1.201 -2.023 -1.201
RCVD_IN_RP_SAFE 0.0 -2.0 0.0 -2.0
RCVD_IN_RP_CERTIFIED 0.0 -3.0 0.0 -3.0
RCVD_IN_RP_RNBL 0 1.284 0 1.31
For some reason I can't find any scores for T_RP_MATCHES_RCVD. Am I being
dumn here? Does the T_ mean something I don't know?
So anyway, what I recon I should do is get rid of all the negative scores
for these Rules, as looking at the scores above, they are all suspicious,
and looking at the actual mails, they are pretty dodgy.
Has anyone else seen this or got any advice on this matter? Should we be
trusting a paid for whitelist?
I also saw something about fake RP headers? Could this be the case?
Thanks
Pip
(Apologies have posted same to mailing list but thought I'd try a 2 pronged
approach!)
--
View this message in context: http://old.nabble.com/Return-Path-Whitelists%2C-RP_SAFE%2C-RP_CERTIFIED%2C-RP_MATCHES%E2%80%8F-tp32870476p32870476.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Return Path Whitelists, RP_SAFE, RP_CERTIFIED, RP_MATCHES
Posted by Benny Pedersen <me...@junc.org>.
On Mon, 21 Nov 2011 03:11:48 -0800 (PST), pipjg wrote:
> Has anyone else seen this or got any advice on this matter? Should we
> be
> trusting a paid for whitelist?
where do you pay ?
why not report spam to returnpath ?
but feel free to set scores to zero, if you like to pay :-)
Re: Return Path Whitelists, RP_SAFE, RP_CERTIFIED, RP_MATCHES
Posted by Bowie Bailey <Bo...@BUC.com>.
On 11/21/2011 10:53 AM, darxus@chaosreigns.com wrote:
> On 11/21, pipjg wrote:
>> dumn here? Does the T_ mean something I don't know?
> Yes, it means there is a bug in the way spamassassin rules are being
> published. It stands for "testing".
>
> "rules with a T_ prefix to their names are never published"
> - http://wiki.apache.org/spamassassin/SaUpdateBackend
> This is the first google hit for: spamassassin t_
>
> Although I don't currently see T_RP_MATCHES_RCVD in my rules. Run
> sa-update again (you run it daily from cron, right?), check to see if it's
> still there, and if it is, open a bug:
> https://issues.apache.org/SpamAssassin/
>
> Rules that don't have a score defined have a default score of 1, or, in
> this case, -1, because it has the "nice" flag set (it's intended to hit
> ham, not spam).
Except for T_ rules -- they have a default score of 0.01.
--
Bowie
Re: Return Path Whitelists, RP_SAFE, RP_CERTIFIED, RP_MATCHES
Posted by da...@chaosreigns.com.
On 11/21, pipjg wrote:
> dumn here? Does the T_ mean something I don't know?
Yes, it means there is a bug in the way spamassassin rules are being
published. It stands for "testing".
"rules with a T_ prefix to their names are never published"
- http://wiki.apache.org/spamassassin/SaUpdateBackend
This is the first google hit for: spamassassin t_
Although I don't currently see T_RP_MATCHES_RCVD in my rules. Run
sa-update again (you run it daily from cron, right?), check to see if it's
still there, and if it is, open a bug:
https://issues.apache.org/SpamAssassin/
Rules that don't have a score defined have a default score of 1, or, in
this case, -1, because it has the "nice" flag set (it's intended to hit
ham, not spam).
--
"A ship in a port is safe, but that's not what ships are built for."
-Grace Murray Hopper
http://www.ChaosReigns.com
Re: Return Path Whitelists, RP_SAFE, RP_CERTIFIED, RP_MATCHES
Posted by RW <rw...@googlemail.com>.
On Mon, 21 Nov 2011 13:50:05 +0000
RW wrote:
> On Mon, 21 Nov 2011 03:11:48 -0800 (PST)
> pipjg wrote:
> > Rule Total Ham % Spam %
> > RP_MATCHES_RCVD 161,165 142,559 88.5
> > 18,606 11.5 RCVD_IN_RP_SAFE 22,405 22,399
> describe RP_MATCHES_RCVD Envelope sender domain matches handover
> relay domain
Actually, now I come to think about it I had a problem
RP_MATCHES_RCVD, and I wasn't the only one:
http://old.nabble.com/RP_MATCHES_RCVD-to32157087.html
Re: Return Path Whitelists, RP_SAFE, RP_CERTIFIED, RP_MATCHES
Posted by RW <rw...@googlemail.com>.
On Mon, 21 Nov 2011 03:11:48 -0800 (PST)
pipjg wrote:
>
> Hi,
>
> Was wondering if could have some advice, and I probably know what I'm
> going to do anyway, just wanted a few others opinions..
>
> I've been analysing a load of mail which is having it's SA score
> reduced by what looks like paid for whitelists. A view of the SA
> scores I'm seeing is:
>
> Rule Total Ham % Spam %
> RP_MATCHES_RCVD 161,165 142,559 88.5
> 18,606 11.5 RCVD_IN_RP_SAFE 22,405 22,399
> 100 6 0 RCVD_IN_RP_CERTIFIED 22,130
> 22,125 100 5 0 RCVD_IN_RP_RNBL
> 12,794 43 0.3 12,751 99.7
> T_RP_MATCHES_RCVD 7,080 5,072 71.6
> 2,008 28.4
>
> Now looking at virtualls ALL of these they look like SPAM.
No they don't, you haven't read your own results correctly.
RCVD_IN_RP_SAFE and RCVD_IN_RP_CERTIFIED are ~100% Ham. RCVD_IN_RP_RNBL
is a blacklist rule, so it's supposed to hit spam.
[T_]RP_MATCHES_RCVD are not ReturnPath whitelist rules:
describe RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
Everything related to ReturnPath.net/senderscore is working
remarkably well for you.
> For some reason I can't find any scores for T_RP_MATCHES_RCVD. Am I
> being dumn here? Does the T_ mean something I don't know?
T_* rules are under test, so it's an earlier name for RP_MATCHES_RCVD.