Re: an actual IPv6 spam
Steve Bertrand wrote: > Greg Troxel wrote: > >> Has anyone else gotten v6 spam? > > When I first configured my personal mail servers with IPv6, I wrote a > parser for my Simscan logs, so I could graph v6 email statistics. Since > then (~June, 2008), I've received six blatant spam messages. > > Here is the text representation of these stats of one day last month > where a v6 spam did come through: I've had a couple of off-list enquiries, so I'll clarify: Messages are counted at my primary MX. My secondary MX communicates via IPv6 over the Internet to my primary. Messages sent from external sources via IPv4 to my secondary which are subsequently sent to my primary via IPv6 are NOT counted in the tally. Only messages where the originating mail server was v6 enabled are counted. ...make sense? ;) Steve > Email by protocol stats for 2009/12/25 > > Total Messages:1666 > Spam:1125 > Ham: 541 > Spam % of Total: 67.53 % > > Score Total: 23746.10 > Scored Positive: 1368 > Scored Negative: 298 > Score Avg: 14.25 > > Messages via IPv6: 173 > Percent of total: 10.38 % > SPAM via IPv6: 1 > Percent of Spam: 0.09 % > > Messages via IPv4: 1493 > Percent of Total: 89.62 % > SPAM via IPv4: 1124 > Percent of Spam: 99.91 % > > MTA Connections: 3242 > Accepted:3143 > Rejected:99 > Rejected Percent 3.05 > > ...unfortunately, I believe the actual message from this day has already > been eradicated, but if there is interest, I'll start keeping them for > comparison. > > Steve
Re: an actual IPv6 spam
Greg Troxel wrote: > Has anyone else gotten v6 spam? When I first configured my personal mail servers with IPv6, I wrote a parser for my Simscan logs, so I could graph v6 email statistics. Since then (~June, 2008), I've received six blatant spam messages. Here is the text representation of these stats of one day last month where a v6 spam did come through: Email by protocol stats for 2009/12/25 Total Messages:1666 Spam: 1125 Ham: 541 Spam % of Total: 67.53 % Score Total: 23746.10 Scored Positive: 1368 Scored Negative: 298 Score Avg: 14.25 Messages via IPv6: 173 Percent of total: 10.38 % SPAM via IPv6: 1 Percent of Spam: 0.09 % Messages via IPv4: 1493 Percent of Total: 89.62 % SPAM via IPv4: 1124 Percent of Spam: 99.91 % MTA Connections: 3242 Accepted: 3143 Rejected: 99 Rejected Percent 3.05 ...unfortunately, I believe the actual message from this day has already been eradicated, but if there is interest, I'll start keeping them for comparison. Steve
Re: Am I fscking up my bayes db?
Mike Cardwell wrote: > Steve Bertrand wrote: >> My question is, given that the messages have already been processed by >> the 'cuda's (with their header stamps in place), am I damaging, or at >> risk of confusing the learning process of SA when I classify these >> messages as SPAM? >> >> Are there any negative consequences by doing this? > > You should configure bayes to ignore those headers. In your local.cf, > list each of the cuda headers like this: > > bayes_ignore_header X-CudaHeader1 > bayes_ignore_header X-CudaHeader2 > bayes_ignore_header X-CudaHeader3 Thanks Mike. It's extremely infrequent how often I have to touch my email setup, but I've always been curious about this. Given your recommendation, would you say that a reset on the db should be performed? Essentially, is it fair to say that what I've done has possibly caused damage? Steve ps. fwiw, I feel that my SA setup is not under-performing in any way at this time. smime.p7s Description: S/MIME Cryptographic Signature
Am I fscking up my bayes db?
Hi everyone, I aggregate my work and personal email accounts within the same email client. All accounts are IMAP-based. My $work employs a Barracuda cluster, and of course my box runs SA. >From time-to-time, I'll get a SPAM message come through the 'cuda's. >From there, I move the message from one IMAP folder in my MUA into another SPAM folder, which essentially is a transfer from a work storage server onto my server. Every few days, I run sa-learn against the collected SPAM messages. My question is, given that the messages have already been processed by the 'cuda's (with their header stamps in place), am I damaging, or at risk of confusing the learning process of SA when I classify these messages as SPAM? Are there any negative consequences by doing this? Steve smime.p7s Description: S/MIME Cryptographic Signature
Re: rDNS none in stats with IPv6
SpamAssassin doesn't perform DNS lookups on the Received headers if at all possible -- it's assumed that your MTA will do that in advance. Thanks for that. I found this out late last night, and I believe I've got the issue resolved. Regards, Steve
Re: rDNS none in stats with IPv6
Steve Bertrand wrote: I've added debugging code to new_dns_packet() and bgsend() (DnsResolver.pm) to print out $host, $type and $class to a log file. What I found is that the mapped address entries are not even seen by DnsResolver.pm at all, hence, there is no DNS lookup even attempted on them. Hmmmwhat's worse that I just found out is that *NO* IPv6 addresses are being seen by DnsResolver.pm at all. Steve
Re: rDNS none in stats with IPv6
I've added debugging code to new_dns_packet() and bgsend() (DnsResolver.pm) to print out $host, $type and $class to a log file. What I found is that the mapped address entries are not even seen by DnsResolver.pm at all, hence, there is no DNS lookup even attempted on them. I'm off to find out where exactly the evaluation/gathering of the IP addresses takes place, and try to design a regex that will take the ::: into consideration properly. What I'd like to have happen is the mapped address sent merrily along all the way to the system resolver, then have the system resolver do what needs to be done. Am I taking the right approach here? Or should I have the IPv4 address stripped out of the v6 mapped address prior to pushing it through the Perl resolver gateways? Steve
Re: rDNS none in stats with IPv6
Hmmm...just out of curiosity, what is the first entry below used for, if Resolver.pm is used for header checks? pearl# locate Resolver.pm /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm /usr/local/lib/perl5/site_perl/5.8.8/mach/Net/DNS/Resolver.pm ...nevermind, sorry for the noise. Steve
Re: rDNS none in stats with IPv6
Received: from unknown (HELO mail.apache.org) (:::140.211.11.2) by pearl.ibctech.ca with SMTP; 28 May 2008 09:13:00 - Can someone inform me if this is an SA thing, and if so, where to begin looking/testing with the source to correct this issue? The Received headers are parsed in Received.pm. Hmmm...just out of curiosity, what is the first entry below used for, if Resolver.pm is used for header checks? pearl# locate Resolver.pm /usr/local/lib/perl5/site_perl/5.8.8/Mail/SpamAssassin/DnsResolver.pm /usr/local/lib/perl5/site_perl/5.8.8/mach/Net/DNS/Resolver.pm Steve
Re: rDNS none in stats with IPv6
Greg Troxel wrote: In my SA stats, the majority (+90%) of email inbound is classified as rdns_none. I have a suspicion that this is due to the IPv6-IPv4 mapped address being written into the headers when I am speaking to a non-native IPv6 MTA: Received: from unknown (HELO mail.apache.org) (:::140.211.11.2) by pearl.ibctech.ca with SMTP; 28 May 2008 09:13:00 - (I presume you are trying to make this server IPv6 only instead of dual stack. ...well, not intentionally. My intentions were/are to make this a fully dual-stacked machine that hosts my personal domain that is my first fully IPv6 compliant machine that I've configured. When my machine had a globally routable v6 address I got some mail over v6 and some over v4, but didn't used mapped addresses.) Unfortunately, I'm not intently using mapped addresses. :) I've got a hacked version of Qmail that uses Simscan to fire SA (at least I believe this is how it works). I'll need to go through the Qmail sources to find out where it's writing these mapped addresses. To be honest, I think that the work should focus on fixing the resolver (or whatever calls the resolver) to extract the IPv4 address out of the mapped address, instead of eliminating the mapped address entirely. There are legitimate needs to use mapped addresses. It seems that your SMTP listener is not correctly doing reverse dns lookups of mapped addresses, How can I identify *exactly* what is my SMTP 'listener', and how DNS is called, and by what? and I'm not sure what the right fix is. Either the SMTP code should notice the mapped address, pull out the v4 address, and look it up, or the resolver should do this automaticall I agree. I personally think that the mapped address should remain in the header however. Although I've never tested sending to a mapped address directly, I'll have to...it would be interesting to see how a return to a mapped address ends up if my IPv4 BGP peers go down, but my IPv6 stays up. (generally pretty hard core about this sort of thing), Nice to meet you, I am very much as well (particularly IP and routing :) "dig -x :::140.211.11.2" returns NXDOMAIN on a query of ;2.0.b.0.3.d.c.8.f.f.f.f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. IN PTR so I'd guess that it's not a normal expectation for a resolver to extract the mapped address. No, I see the exact same thing via FBSD, but seems right. I've been going over the resolver code itself lately, so I'll have a look. Perhaps it could be fixed right there, and then the SMTP engine (or anything else that relies on DNS) could stay the same. After the lookup issue is fixed, the received header would have the hostname. This is why I didn't know if it were appropriate for the SA list... essentially, I would like to follow up on where in my infrastructure this is broken :) Just think, I set out to set up a simple mail server on IPv6. While doing so, I've written more patches for software in the last week than I have my whole life...and I'm not even a programmer ;) Thanks for the input. Steve
Re: rDNS none in stats with IPv6
Greg Troxel wrote: In my SA stats, the majority (+90%) of email inbound is classified as rdns_none. (I presume you are trying to make this server IPv6 only instead of dual stack. When my machine had a globally routable v6 address I got some mail over v6 and some over v4, but didn't used mapped addresses.) When I get a few more minutes, I will go over the reply again, and reply properly. I couldn't believe the response (on and off list) regarding help with IPv6 issues and issues in general. I think that I'll be happy here ;) Steve
rDNS none in stats with IPv6
Hi everyone, This may not be the appropriate list, but I'm hoping someone can help me. I have an email server based on Matt Simerson's mail toaster (http://www.tnpi.biz/internet/mail/toaster/) that I've managed to get IPv6 compliant. However, I'm having a very hard time determining exactly where the DNS checks are performed, and how to correct an issue. In my SA stats, the majority (+90%) of email inbound is classified as rdns_none. I have a suspicion that this is due to the IPv6-IPv4 mapped address being written into the headers when I am speaking to a non-native IPv6 MTA: Received: from unknown (HELO mail.apache.org) (:::140.211.11.2) by pearl.ibctech.ca with SMTP; 28 May 2008 09:13:00 - Can someone inform me if this is an SA thing, and if so, where to begin looking/testing with the source to correct this issue? If it is within a part of SpamAssassin, I will gladly submit any patches that identify/rectify my problem. Thanks, and regards, Steve
Re: trusted mailing list subscriber spam
All a spam program would have to do is say "[EMAIL PROTECTED] posts lots to that list. His address must be a trusted subscriber. Well, here's one more post from him, muhahaha." If "Bob" posts a lot to a list(s) and is respected within said list(s), then the other subs of that list will immediately recognize by the tone and the writing style of a fake message that it wasn't Bob that sent it. OK, I suppose that would be caught by SPF rules etc., if bob likes SPF. Not all mail systems actually block upon SPF breakage... Steve
Re: DNS Perl Help? [ot]
> OK - Thanks for your help on that one, Still need the DNS stuff figured > out, That's the last piece in what will be an extrodinarilly powerful > whitelisting system. I'll publish the code once it is tested. I think a > lot of people will want to use it and improve it. Using Net::DNS, here is a snip of what I have used in the past. It returns the PTR record, and if not available, returns the IP. sub get_ame { my $ip = shift; my $res = Net::DNS::Resolver->new; my $query = $res->search("$ip"); if ($query) { foreach my $rr ($query->answer) { next unless $rr->type eq "PTR"; return ($rr->rdatastr); } } else { return ($ip); } } HTH, Steve
Re: Should I use greylisting
[EMAIL PROTECTED] wrote: I am a bit worried about blocking people with dynamic IP addresses say from their ISP, if they "inherit" an IP address recently used by an infected PC they will still be in the RBL and get blocked. Machines on dynamic IPs should not be doing direct-to-MX submission, so block their entire networks with no looking back, eg use spamhaus PBL. In the spam business, nice, meticulous, conscientious people always get screwed. The network operators should be blocking access from their subscriber access networks to port 25. Hi, this last point means that their customers are bound to use the network operator's smtp for sending. While I generally believe that end users should send thru a smarthost, I also think it is a bad idea to restrict them to the network provider's smarthost. They might prefer to send via their company's SMTP instead ...which is exactly the reason SMTP Auth operating over port 587 exists. Steve
Re: SlashDotting spammers
> Steve Bertrand wrote: >>>Finally, I would suggest that bombarding their purchasing forms with >>>valid-looking purchase data, might work better. >> >> >> As someone who deals with the consequences of DoS attacks, I >> disagree >> firmly with that approach, however...the above idea seems very >> entertaining and I was LMAO when I read it... > > > There seems to be a very grey line here. The spammers send email > containing > HREF or IMG tags that they fully intend to have the recipient click > on, or in the > case of IMG tags, to have an agent for the recipient (mail client) > retrieve. > > What is the difference between a recipient clicking on an HREF > multiple times, or > viewing the email (and loading the IMGs) multiple times, and an agent > of the recipient > performing similar actions? I don't think that at a fundamental level > there is a > difference. > > If you publish anything on the web by any means the publisher has to > accept that the > slashdot effect is one of the possible consequences of publication. > > I do suppose though that it boils down to an issue of intent. Viewing > an email and > its associated HREFs or IMGs is different than feeding these URLs to a > process with > the _intent_ that it consume large amounts of resources of the target. > > Hmmm... Damn, its too bad because I like the idea. They use zombies > and spambots against > us, why can't we use similar systems against them! AFAIK, one of the ideas to get rid of the spam (yes only one) is to clean up the crap clogging the pipes. Fighting fire with fire (or in this case bytes with bytes) will just make worse the traffic jams we have to deal with. Save the load on the infrastructure, and instead, tie them up in a chair in their house, then set the house on fire or something. Partially kidding of course. If we must continue this approach, a much more elegant and clean way to do this is hack the boxes the mail is being spewed from, the boxes the sites reside on, and implement a good strategy to have the mail servers bombard themselves with email, and have the web servers pollute their own databases with corrupt data. This will at least save the bandwidth for better things...like mailing list rants like this ;o) /* Disclaimer... I am in no way in any proper frame of mind right now. I can not be held accountable for actions taken in part, or in whole based on the ideas or thoughts contained in this email */ :o) Steve > > - Mike > > > > >
Re: SlashDotting spammers
> Finally, I would suggest that bombarding their purchasing forms with > valid-looking purchase data, might work better. As someone who deals with the consequences of DoS attacks, I disagree firmly with that approach, however...the above idea seems very entertaining and I was LMAO when I read it... Tks for the chuckle ;o) Steve > > - --j. > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Exmh CVS > > iD8DBQFBUxBqQTcbUG5Y7woRApRMAKDm2+3iSoqo1B6mwM5L6po2dhraIQCghQ8L > aL+X0VH7QMKpP0SiN/lHsWU= > =pngp > -END PGP SIGNATURE- > >
RE: SPF and spammers
>> Steve Bertrand said: >> >> > I work for an ISP. My laptop, seldomly moved from the office is >> > configured to send out my [EMAIL PROTECTED] email through this >> ISP >> > SMTP server. I take my laptop home, which is connected to a >> different >> > SMTP server. Unwittingly, I change the SMTP server to the home >> ISP's >> > server and send out mail (which was always a common practice). >> >> If you send email from home, you should either arrange to use your >> employer's email server (sasl, and/or port 587 as needed), >> use a different >> "from" address when sending from home, or else add your home >> ISP's mail >> relay to the SPF records for your employer. > > > Yes, you should. But what happens if my almost-informed user decides > to > do it the old way? Do you blacklist my domain because a user decided > to > do things wrong? > > That was his question. However, as I recall the original premise, the > message would have to look very spammy to get flagged this way in the > first place. And, you really wouldn't start blocking mail servers > simply > because you received one such message-- though you might want to flag > it > and look at it. Indeed, that was the intent of the question. I do have my own servers with Auth-SMTP, and normally use webmail located right on the IMAP box anyway. I was just curious from the standpoint of the user who just doesn't listen and gets the domain blacklisted as per the poster I replied suggested. Tks for the feedback Steve > > Bret > > > >
Re: SPF and spammers
> But still, my recommendation is to use an SPF pass to decrease the > spam > score and to not use SFP fails to blacklist. This is really the first post I've looked at on this thread, but I see your point...correct me if I am wrong with this situation: I work for an ISP. My laptop, seldomly moved from the office is configured to send out my [EMAIL PROTECTED] email through this ISP SMTP server. I take my laptop home, which is connected to a different SMTP server. Unwittingly, I change the SMTP server to the home ISP's server and send out mail (which was always a common practice). AFAICT, this instance would blacklist me and/or my entire domain because of a user mistake...correct? (As it would send my [EMAIL PROTECTED] email through a server not listed in our SPF records). Steve > > On Sep 13, 2004, at 1:39 PM, Kelson wrote: > >> You're misunderstanding. The suggestion was to take spam that >> passed >> SPF, look for the other servers listed in that SPF record, and add >> those servers to a blacklist. >> >> 1. Spam comes in from dirtbag.tld via mail.dirtbag.tld >> 2. SPF record for dirtbag.tld lists both mail.dirtbag.tld and >> mail.yahoo.com as valid senders (even though they can't actually >> send >> through Yahoo): "v=spf1 a:mail.dirtbag.tld a:mail.yahoo.com -all" >> 3. Your mail server recognizes that (a) it's spam, and (b) it passes >> SPF. >> 4. As per the original suggestion, check that SPF records for >> blacklist material, and you add mail.dirtbag.tld and mail.yahoo.com >> to >> your blacklist. >> 5. Next time mail comes in from mail.yahoo.com, it's blocked. >> >> Of course, there's no reason for spammers to put bogus info in their >> SPF records *unless* people do this, since if people use it as >> designed, it won't gain them anything. Although I can see them just >> putting up "v=spf1 +all" at least short-term so that they can use >> their usual zombie networks, though at least they'd have to use >> their >> own addresses and deal with the bounces themselves. >> > > Kindest regards, > > Ron > > "What shall we do? What shall we do?" he cried, "Escaping goblins to > be > caught by wolves!" - Bilbo Baggins > > The Hobbit by J. R. R. Tolkein > http://www.apple.com/trailers/newline/returnoftheking/trailer_large.html > >
Re: Catching Windows executables as attachments
> I have currently tuned my SARE spam filters, and am humming right > along, I get > one or 2 uncaught spams a day which is no big deal. But I would like > to catch > the virus emails that have Win exe, scr, bat, and the like for > attachments, > but I can't find a rule for them. > > Is there one? How can I catch them otherwise? If you are running qmail, you can install qmail-scanner (which I use to load SA & ClamAV). Then edit the quarantine-attachments.txt file to your taste. You can block out any attachment you desire... Steve > > Rob > -- > > Linux Desktop user since 2000, > Home networker since shortly after. > > Linux User #183693 > http://counter.li.org/ >
Re: Unreasonable penalty for AOL addresses ending in numbers?
>> I have had a couple of FP's recently from valid AOL users. AOL >> recommends appending digits to your screen name to make it unique, >> and >> many users do that. The result (sender using AOL 9.0 client, SA >> 2.63) >> is a penalty of 6.39 points right off the bat. Isn't that a bit >> extreme? > > I know at my site, the ratio of valid users and phony users ending in > nums is about 1000:1. If this is the same as at your site, the easiest > thing to do probably would be to whitelist the users. You could also > lower the score of these rules and let the other rules do their job > instead. Most of the spam coming from these types of users scores in > the teens to 20's anyway, so if it's legit, then SA should score > accordingly, aside from the rules listed in your headers. Whoops! READ: Phony: 1000 Valid: 1 ;o) > > Just my .02 > > Steve > >> >> Pierre Thomson >> BIC >> >> >> Received: from imo-m15.mx.aol.com (imo-m15.mx.aol.com >> [64.12.138.205]) >> by mail1.domain.com (8.11.6/8.11.6) with ESMTP id i882gcu10544 >> for <[EMAIL PROTECTED]>; Tue, 7 Sep 2004 22:42:38 -0400 >> Received: from [EMAIL PROTECTED] >> by imo-m15.mx.aol.com (mail_out_v37_r3.4.) id 4.13c.83038c (3972) >> for <[EMAIL PROTECTED]>; Tue, 7 Sep 2004 22:42:29 -0400 (EDT) >> From: [EMAIL PROTECTED] >> Message-ID: <[EMAIL PROTECTED]> >> Date: Tue, 7 Sep 2004 22:42:29 EDT >> Subject: Re: Equipment >> To: [EMAIL PROTECTED] >> MIME-Version: 1.0 >> Content-Type: multipart/alternative; >> boundary="-1094611349" >> X-Mailer: 9.0 for Windows sub 5112 >> X-Local-MailScanner-Information: See www.mailscanner.info for >> information >> X-Local-MailScanner: Found to be clean >> X-Local-MailScanner-SpamCheck: spam, SpamAssassin (score=6.651, >> required 6, >> ADDR_NUMS_AT_BIGSITE 2.70, BAYES_40 -0.00, FROM_ENDS_IN_NUMS 0.99, >> FROM_WEBMAIL_END_NUMS6 2.70, HTML_MESSAGE 0.10, NO_REAL_NAME 0.16) >> X-MailScanner-From: [EMAIL PROTECTED] >> Return-Path: [EMAIL PROTECTED] >> X-OriginalArrivalTime: 08 Sep 2004 02:42:45.0517 (UTC) >> FILETIME=[8554E3D0:01C4954D] >> > > >
Re: SpamAssissin
> Hi > I installed qmail and spamassissin on it. I don't know how configure > spamass to have a blacklist, whitelist ? > How update spam database of spamass for new spammer? Ahhh, did you even attempt to read through some of the FAQ wiki or any of the documentation on the SA homepage, or the distribution you downloaded? That's probably the best place to start. > Thanks. > >
Re: Unreasonable penalty for AOL addresses ending in numbers?
> I have had a couple of FP's recently from valid AOL users. AOL > recommends appending digits to your screen name to make it unique, and > many users do that. The result (sender using AOL 9.0 client, SA 2.63) > is a penalty of 6.39 points right off the bat. Isn't that a bit > extreme? I know at my site, the ratio of valid users and phony users ending in nums is about 1000:1. If this is the same as at your site, the easiest thing to do probably would be to whitelist the users. You could also lower the score of these rules and let the other rules do their job instead. Most of the spam coming from these types of users scores in the teens to 20's anyway, so if it's legit, then SA should score accordingly, aside from the rules listed in your headers. Just my .02 Steve > > Pierre Thomson > BIC > > > Received: from imo-m15.mx.aol.com (imo-m15.mx.aol.com [64.12.138.205]) > by mail1.domain.com (8.11.6/8.11.6) with ESMTP id i882gcu10544 > for <[EMAIL PROTECTED]>; Tue, 7 Sep 2004 22:42:38 -0400 > Received: from [EMAIL PROTECTED] > by imo-m15.mx.aol.com (mail_out_v37_r3.4.) id 4.13c.83038c (3972) >for <[EMAIL PROTECTED]>; Tue, 7 Sep 2004 22:42:29 -0400 (EDT) > From: [EMAIL PROTECTED] > Message-ID: <[EMAIL PROTECTED]> > Date: Tue, 7 Sep 2004 22:42:29 EDT > Subject: Re: Equipment > To: [EMAIL PROTECTED] > MIME-Version: 1.0 > Content-Type: multipart/alternative; > boundary="-1094611349" > X-Mailer: 9.0 for Windows sub 5112 > X-Local-MailScanner-Information: See www.mailscanner.info for > information > X-Local-MailScanner: Found to be clean > X-Local-MailScanner-SpamCheck: spam, SpamAssassin (score=6.651, > required 6, > ADDR_NUMS_AT_BIGSITE 2.70, BAYES_40 -0.00, FROM_ENDS_IN_NUMS 0.99, > FROM_WEBMAIL_END_NUMS6 2.70, HTML_MESSAGE 0.10, NO_REAL_NAME 0.16) > X-MailScanner-From: [EMAIL PROTECTED] > Return-Path: [EMAIL PROTECTED] > X-OriginalArrivalTime: 08 Sep 2004 02:42:45.0517 (UTC) > FILETIME=[8554E3D0:01C4954D] >
Re: shifting the midpoint between the average spam and average
> > SA isn't about the "average" it's about the accuracy. > > If this were the case, then why aren't the spam scores > ("*required_hits*") for each message either 1 or 0 and nothing else? Oh, come on now. This is just a troll on a very legitimate and informative statement. If spam were like virii, then it would be easy -- yes it is spam, no it isn't. But you know as well as everyone else spam is very dynamic, and ever changing. SA works in a cumulative way, adding up points (score) as it hits certain rules. YOU determine the threshold...it's not SA's job to determine if it's spam or not, it's SA's job to add up the scores. It's YOUR job to set required_hits, putting you in charge when it becomes spam, and when it's not. Maybe someday spam writers will put a nice little statement in their subject line "SPAM", then we'd be able to have 1 or 0, but I doubt it. Many people have tried to give you advice, for something that really was not clarified as to why you were trying to achieve what you were. It doesn't help to return a question that is rediculous and very unrealistic in nature. ...sorry to bite. Just my $.02 Steve > > >
Re: shifting the midpoint between the average spam and average ham scores back to 5.0
> Help please! > > If the average spam score of all of my ham messages is 1.0 and the > average spam score of all of my spam messages is 3.0, then what is the > best way to move the average_of_ these_two_averages (2.0) back up to > 5.0? > > The result being that I need my current average score for ham messages > to be "4" and my current average score for spam messages to be "6". > And, > I need to do this without screwing up the relative statistics of > spamassassin. What about increasing the score on the most commonly hit rules for spam and ham? Check to see what rules are being hit on both hammy and spammy messages, and increase slowly over a few days until the desired average levels are reached. HTH, Steve > > Thanks for any ideas! > > Joe > >