Re[2]: False positive in 70_sare_header0

[Robert Menschel <Ro...@Menschel.net>]

Hello Christoph,

Saturday, January 15, 2005, 7:08:44 AM, you wrote:

>> Can you forward me a few complete emails with headers, non-spam, that
>> demonstrate this?

CMT> (My contribution to The Corpus was sent off-list).

Received and applied to the corpus.  Thanks.


>> SARE rules are built from our experience, and scored according to the
>> emails in our corpora, and none of us had any non-spam with that
>> characteristic. If you can send us some for inclusion in my corpus,
>> that will give us the evidence we need to handle this correctly.

CMT> Scrolling through header0, I noticed some other domains which could
CMT> belong to ISPs. Of course they just might have a lot of spam bots
CMT> on ther customers' computers, as almost every ISP has now.
CMT> Would some investigations on the true origin of these domains 
CMT> help improving the rules or is there just too much spam and nearly
CMT> no other mail coming from these ISPs (most of them located in south
CMT> america)?

At the very least, that investigation can be documented in #note
lines, which will help us know what to do if/when we eventually have a
non-spam from such domains. So that would be good.

I've been concerned about the domains that are ISPs but that generate
nothing but spam as far as we can tell.  An example would be
virtua.com.br, as applied in the SARE_RECV_VIRTUACOMBR rule.

I'm thinking that perhaps these should be converted to meta rules,
something along the lines of
header __SARE_RECV_VIRTUACOMBR Received...
meta   SARE_RECV_VIRTUACOMBR  __SARE_RECV_VIRTUACOMBR && ! ISP_SPAM_OK_BR
where ISP_SPAM_OK_BR is normally not defined, and therefore (under SA
3.0) the meta will test strictly on __SARE_RECV_VIRTUACOMBR.

Someone who wants to turn off all *.br spam rules would then simply
define
meta   ISP_SPAM_OK_BR  1
or something like that.

Comments?

Bob Menschel