Re: [Assp-test] Analyze shows DKIMNPAddress match as expected, but some messages still processed as spam?

Tue, 17 Apr 2018 02:21:56 -0700 

>If we put the address on the DKIMNPAddress list, shouldn't it honor that 
regardless of anything else? 

REGARDLESS ???

No . this makes no sense.

The pre-DKIM check is skipped for (18103):

invalidSenderDomain (no valid TLD)
whitelisted
acceptAllMail
bounce mails
outgoing mails
RWL high trust
contentOnly
noprocessing (except noprocessing by size)
noDKIMAddresses
noDKIMIP

-----------------------
>don't know if a change from 0.001 to 0.005 would be significant or make 
sense,

Just use the 'Bayes/HMM confidence' graph. This requires 
'enableGraphStats' to be enabled.

>Then there's a ton of spam messages also advertising (fake) handbags and 
they're often using the SAME domain and sometimes identical from address 
as the legit mails.

ASSP has alot of features to indentify the correctness of the origin of an 
email. And there is (IMHO) a big difference between maliciouse spam and 
normal (not dangerous) mails you don't want to get. The later are often 
problematic. Most times it is better to let them pass, than to block 
important mails.

-----------------------

The next version will have an improvement for HMM and Bayesian.
An real problem may become disclaimers and privat and corporate signatues. 
They are always added to outgoing mails, but also to spam reports. They 
can be found in most of the answers to our mails. And for example, in my 
case, they may be added by spammers to there spam mail. Nobody can say, 
how the occurrence of such a disclaimer will affect the HMM and Bayesian 
results. It may possible, that these results differs from day to day, or 
block always good mails, or.let spam pass.

The only way to prevent such "wild" results is to remove the disclaimers, 
before the rebuildspamdb task builds the spamdb and HMMdb. I use this code 
for a month now and I'm really happy with the result.

Thomas





Von:    "K Post" <nntp.p...@gmail.com>
An:     "ASSP development mailing list" <assp-test@lists.sourceforge.net>
Datum:  16.04.2018 17:43
Betreff:        Re: [Assp-test] Analyze shows DKIMNPAddress match as 
expected, but some messages still processed as spam?



I'm always correcting HMM/Bayes by reviewing the block report on a daily 
basis and reporting.  It's a horrible task that I dread, but it is worth 
it.  I have the score set to 50, and 50 as the threshold for rejection.  
We've tried lower, but too much spam is only tagged solely due to a HMM 
hit and slips through.   

I never changed baysConf from the original 0.001 with baysprobablity to 
0.6, but I do have a 1.000 corpus norm.   It's certainly a mature 
installation (15+ years).  The issue I'm having is legit messages, say a 
message advertising handbags from a reputable seller that one of our staff 
buys from (over their lunch hour of course!!).  Then there's a ton of spam 
messages also advertising (fake) handbags and they're often using the SAME 
domain and sometimes identical from address as the legit mails.  HMM/Bayes 
is rightfully biased against all handbag email.  You're saying that 
increasing baysConf will help the legit ones get through but still will 
block the spam ones (with almost identical content)?   I've read through 
the gui for baysConf, but the problem is that which I understand HMM and 
Bayes from a concept standpoint, the calculations aren't something I 
understand, so I don't dare change the 0.0001 threshold without real 
guidance from you.  I understand 1 is the max, but don't know if increases 
linearly or exponentially change levels, don't know if a change from 0.001 
to 0.005 would be significant or make sense, etc.

My hopes with the dkim np was to let hmm spammy mail through if it's a 
dkim match.  Ignore all other results, if the DKIM is good, just let it 
through was my thinking.  I know handbag seller X sends ad mail that's 
DKIM signed, but I don't know when IP they'll come from (or the IP is 
mailing service that I don't want to blanket allow).  This has been quite 
successful with a whole lot of mail.  I've become spoiled, now I want it 
to work for all mail when there's a DKIM match to the NP list.  

You raise another a good point about the 2 kind of DKIM checks, thanks for 
the reminder.  Does it make any sense to always have ASSP do the second 
one and if it validates and matches dkimNPaddress or dkimWLadderss, 
process solely based on that match?  For example, HMM might hit before the 
full body validation of DKIM, but so what?  If we put the address on the 
DKIMNPAddress list, shouldn't it honor that regardless of anything else?  
NO processing, as I'm interpreting it, should mean, well, NONE, so if 
other hits have happened, they're ignored because we said don't process.

I will temporarily change the logging level for a bit and see if I can 
figure out why dkim isn't being done for these messages, but I'm guessing 
that it's by design.

As always, thanks
Ken


On Mon, Apr 16, 2018 at 2:35 AM, Thomas Eckardt <
thomas.ecka...@thockar.com> wrote:
>I'm still seeing scenarios where analyze shows a DKIM NP match, but the 
message is still going to spam based on score from HMM.

The best solution is to correct the corpus, to get better HMM results. You 
may also decrease the scoring points for HMM and/or Bayesian. If the 
corpus is corrected and the corpusnorm is ~ 1.0 , 'baysConf' will increase 
detection correctness. 


If assp receives a mail it acts as a statemachine. If and how a check is 
done, depends on the previouse reached states. 

Using the analyzer, assp acts procedural. Every check is done without any 
state dependency. This is done, to be able to show every feature match. 
The analyzer uses the current configuration, hashes, lists and databases. 
So it may be normal to get different results compared to the real mail 
processing loggings, if a mail is analyzed. 

>DKIM NP match: 

The analyzer checks DKIM without any dependency and shows all results. 

But, if a mail is received, the DKIM check depends on several previouse 
states 
DKIM NP is a resulting state of the DKIM check. So - if any of the 
previouse (DKIM depdency) states prevents the DKIM check, there will be no 
DKIM (DKIM NP) result. The mail will be processed the same way, as it was 
not DKIM signed. 
Every state, that depends on DKIM NP will not be reached. 

You should also remember, that assp use two DKIM checks. The full DKIM 
check, which requires the full mail to be received - the results of this 
check affects only the Plugin Level 2 (full mail) checks. 
And the DKIM-Pre-Check - which is done after the MIME header is received 
and if 'DKIMCacheInterval' is enabled. The results (states) of this check 
affects most of the header checks and all body and full mail checks. 

If you expect but miss a match for 'DKIMWLAddresses' or 'DKIMNPAddresses' 
, you may increase the logging level (ValidateSenderLog, SessionLog, 
ipmatchLogging, slmatchLogging). 

Thomas 




Von:        "K Post" <nntp.p...@gmail.com> 
An:        "ASSP development mailing list" <
assp-test@lists.sourceforge.net> 
Datum:        15.04.2018 23:21 
Betreff:        Re: [Assp-test] Analyze shows DKIMNPAddress match as 
expected, but some messages still processed as spam? 



I'm still seeing scenarios where analyze shows a DKIM NP match, but the 
message is still going to spam based on score from HMM. 

On Mon, Apr 9, 2018 at 12:19 PM, K Post <nntp.p...@gmail.com> wrote: 
cheers. 

On Mon, Apr 9, 2018 at 3:36 AM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote: 
If assp has modified the original mail header (changed foreign X-ASSP- or 
removed cc,bcc or ...) the DKIM check is skipped and also DKIMNPAddress 
and DKIMWLAddress. 

The next version will try to check, if removed or changed headers are 
protected by a DKIM signature and do the check, if this is not the case. 

Thomas 



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot 
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test





DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test





DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to