RE: X-Spam-Relay-Country header always empty
M-Original Message- MFrom: Scott Russell [mailto:[EMAIL PROTECTED] MSent: 13 March 2006 18:41 MTo: users@spamassassin.apache.org MSubject: X-Spam-Relay-Country header always empty M MGreets. M MI've seen this under both SA 3.1.0 and 3.1.1 and I have MIP::Country 2.20 installed. If I enable debug mode in spamd I Msee Mail::SpamAssassin::Plugin::RelayCountry load. When Mprocessing a message through spamd I also see metadata: MX-Relay-Countries: US ** US US ** US US US DE SK SK SK GB EU M MThis to me says that the plugin is working as expected. I Mwanted to add this information to the headers so I add_header Mall Relay-Country _RELAYCOUNTRY_ however the MX-Spam-Relay-Country header is always empty. M MAny clues? M M-- I have got the same problem after upgrading, calling spamd via procmail but the _REALCOUNTRY_ header tag fails to put anything in the header, was working just fine for 3.1.0. Can't remember now what I had to edit to get it to work, do I need to change something back to the way it was to fix this or is this still not fixed correctly? Martin
RE: generating rule stats from spamd logs
M 10BAYES_9915351 4.46% 45.42% 60.57% M 19BAYES_50 6443 1.87% 19.06% 25.42% M 31BAYES_80 1154 0.34% 3.41% 4.55% M 32BAYES_60 1147 0.33% 3.39% 4.53% M 38BAYES_95 864 0.25% 2.56% 3.41% M 102BAYES_00 187 0.05% 0.55% 0.74% M 152BAYES_40 92 0.03% 0.27% 0.36% M 209BAYES_20 53 0.02% 0.16% 0.21% M 228BAYES_05 44 0.01% 0.13% 0.17% M MFor ham... M 2BAYES_00 695915.73% 20.59% 82.32% M 9BAYES_50 623 1.41% 1.84% 7.37% M 20BAYES_40 296 0.67% 0.88% 3.50% M 24BAYES_20 267 0.60% 0.79% 3.16% M 29BAYES_05 217 0.49% 0.64% 2.57% M 73BAYES_60 51 0.12% 0.15% 0.60% M 113BAYES_99 24 0.05% 0.07% 0.28% M 142BAYES_80 14 0.03% 0.04% 0.17% M 280BAYES_952 0.00% 0.01% 0.02% M MSo, BAYES_99 hits 0.28% of my ham and 60.57% of my spam. M You must have a different version to the one now available because your missing one column Spam RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 1BAYES_99 468 5.94 75.48 97.91 329.58 2RAZOR2_CHECK 422 5.35 68.06 88.28 297.18 3RAZOR2_CF_RANGE_51_100421 5.34 67.90 88.08 296.48 4URIBL_BLACK 353 4.48 56.94 73.85 248.59 The %ofham column is obviously wrong but the others seem fine Ham RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 1BAYES_00 13737.33 22.10 28.66 96.48 2AWL 11230.52 18.06 23.43 78.87 3HTML_MESSAGE 16 4.362.583.35 11.27 7UPPERCASE_25_50 9 2.451.451.88 6.34 8URIBL_BLACK 5 1.360.811.05 3.52 Again the Spam column is wrong here and should be ignored, nice to see whats false positiving so I can lower scores accordingly. Martin
RE: Re[2]: Uri rules
MHello martin, M M MSARE has been playing around with URI rules lately, and when Mwe need to test for something in the host/domain area, we use Msomething like: M uri rule_name m'(?:https?://)?[^/]*testgoeshere' MIn other words, the test must precede any/all slashes except Mfor those that might be within http:// M MWhen we need to test for something after the host/domain Marea, we reverse that, like: M uri rule_name m'(?:https?://)?.+/testgoeshere' MIn other words, the test must follow a slash. M MThe method can be improved upon, but it helps avoid what I Mthink are the false hits you're dealing with. M MBob Menschel M Thanks for the tip Bob, that's just what I needed, I will look at trying that out but pretty sure that will stop the FP that I was having. Regards Martin
RE: Uri rules
MNot that I'm aware of. To my knowledge the URI rule always Mmatches the full URL. There are several SA and/or SARe rules Mwhich depend upon this. M MOr do you mean something different by URI and URL than I do. MI generally use the definitions found at Mhttp://www.adp-gmbh.ch/web/uri_url_urn.html -- including: M URI = Uniform Resource Identifier M There are two types of URIs: URLs and URNs MIn other words, a URL /is/ a URI. M MSection 1.3 of http://www.zvon.org/tmRFC/RFC2396/Output/ Mgives as examples of URIs: M http://www.math.uio.no/faq/compression-faq/part1.html M mailto:[EMAIL PROTECTED] M(those are the two most applicable to SA) M ftp://ftp.is.co.za/rfc/rfc1808.txt Metc. M M MWhy? As recommended, if you have an avoidable FP in an SA Mdistribution rule, post it to bugzilla, and we'll see if we Mcan get rid of the FP. (Remember, however, that sometimes Mham-hits on low-scoring rules are intentionally -- an FP is Mone that flags a non-spam as a spam.) M MIf your ham hit is in a SARE rule rather than an SA rule M(more likely, IMO), then post the specifics either here or on Mthe SARE forum, and we'll see if it's worth avoiding. M MBob Menschel M Thanks for the reply Bob, it's a rule of my own, and yes I was using the same definition of URL and URI, I just didn't notice any FP when I first wrote it but wasn't sure if the uri rule behaviour had changed, since its not a url rule that is. Martin
Uri rules
Has the behaviour of the uri rule been changed at some point to match the whole of the URL? I have just noticed I am getting some FP when one of my uri rules matches against the URL rather than URI. To prevent FP would be very difficult, I think to match the whole of the URL with uri rules is not such a good thing, if you wanted to match something in a URL it would be quite easy to do so in a body rule but to match just against URI isn't so easy. Martin
3.0.4 bug 4111
For those thinking of upgrading who have patched earlier versions of 3.0. you will need to do it again after upgrading. I was disappointed to see the fix for the above bug was not included in 3.0.4, just had to apply the fix again to get the surbl to work with caps in the URI. Martin
RE: problem with split line URL's
M-Original Message- MFrom: Martin Hepworth [mailto:[EMAIL PROTECTED] MSent: 31 May 2005 17:45 MTo: Robert Menschel MCc: SpamAssassin Users MSubject: Re: problem with split line URL's M MRobert M Mjust got one in - no matches... M MIf anyone wants an example let me know.. M M-- MMartin Hepworth I had a rule I was working on, it works on the example u pasted, be interested if this works, if not if you could send me a sample to work on. body MS_Broken_URL /\b(?!http)h\s?t\s?t\s?p\s?/i score MS_Broken_URL 1 describe MS_Broken_URL URL split between lines Use at your own risk has I havent checked it that well for FP's Martin
RE: problem with split line URL's
-Original Message- MFrom: Martin Hepworth MSent: 31 May 2005 17:45 MTo: Robert Menschel MCc: SpamAssassin Users MSubject: Re: problem with split line URL's M MRobert M Mjust got one in - no matches... M MIf anyone wants an example let me know.. M M-- MMartin Hepworth Ok just got a spam and that didn't fire so, did a quick revision, changed body to full. full MS_Broken_URL /\b(?!http)h\s?t\s?t\s?p\s?/i score MS_Broken_URL 1 describe MS_Broken_URL URL split between lines
RE: cannot open bayes databases
M-Original Message- MFrom: Chris [mailto:[EMAIL PROTECTED] MSent: 30 May 2005 04:00 MTo: users@spamassassin.apache.org MSubject: cannot open bayes databases M MWhile running my sa-learn script I'm suddenly getting the below: M Mdebug: lock: 26313 Mcreated M/home/chris/.spamassassin/bayes.lock.cpollock.localdomain.26313 Mdebug: lock: 26313 trying to get lock on M/home/chris/.spamassassin/bayes with 0 retries Mdebug: lock: 26313 trying to get lock on M/home/chris/.spamassassin/bayes with M1 retries Mdebug: lock: 26313 trying to get lock on M/home/chris/.spamassassin/bayes with M2 retries Mdebug: lock: 26313 trying to get lock on M/home/chris/.spamassassin/bayes with M3 retries Mdebug: lock: 26313 trying to get lock on M/home/chris/.spamassassin/bayes with M4 retries Mdebug: lock: 26313 trying to get lock on M/home/chris/.spamassassin/bayes with M5 retries Mdebug: lock: 26313 trying to get lock on M/home/chris/.spamassassin/bayes with M6 retries Mdebug: lock: 26313 trying to get lock on M/home/chris/.spamassassin/bayes with M7 retries Mdebug: lock: 26313 trying to get lock on M/home/chris/.spamassassin/bayes with M8 retries Mdebug: lock: 26313 trying to get lock on M/home/chris/.spamassassin/bayes with M9 retries MCannot open bayes databases /home/chris/.spamassassin/bayes_* MR/W: lock Mfailed: File exists M MLooking in my ~.SpamAssassin folder I see a bayes.lock file Mis still there after running sa-learn. I've deleted it and Mthe error persists. I'm sure there is an easy fix for this. M MThanks MChris M M-- MChris Hi Chris I had the same and deleted the .lock file then ran sa-learn --sync or you could use --force-expire, worth a go. If that don't work then post back and someone else may have more ideas. Martin
RE: Bombarded by German political spam
M-Original Message- MFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] MSent: 15 May 2005 10:46 MTo: users@spamassassin.apache.org MCc: Loren Wilton MSubject: Re: Bombarded by German political spam M Mnpd.de is Nazi political party M M M Kanzler erleichtert Visaverfahren für Golfstaaten: M http://www.spiegel.de/spiegel/vorab/0,1518,349262,00.html M Mspiegel.de is reputable news magazine M MIt would be quite unfair to block mails because of a spiegel reference M MWOlfgang Hamann M Well that depends on whether you normaly get mails with german websites referenced in the emails, mines just a personal email server so I have put a rule to catch deutchland in the URL, if they carry on I may just put one for .de, only 2 made it past spamassassin but all were under the 15 score I need to /dev/null them
RE: more spam with SpamAssassin version 3.0.2
M-Original Message- MFrom: Valery V. Bobrov [mailto:[EMAIL PROTECTED] MSent: 14 May 2005 13:36 MTo: users@spamassassin.apache.org MSubject: more spam with SpamAssassin version 3.0.2 M MHello! M MI upgraded to SpamAssassin version 3.0.2 from 2.64 and I Mnoticed the amount of spam messages has been increased! M M MWhat sort of problem? M MYours faithfully, MValery Look at the INSTALL file to find the system requirements such as perl, Net::DNS and other module versions, then do a spamassassin --lint -D it will tell you more details what is failing. Chances are its not doing network tests because of Net:DNS which will lower the spam score significantly. Martin
RE: Drug SPAM problem..any fixes?
M-Original Message- MFrom: Dan Simmons [mailto:[EMAIL PROTECTED] MSent: 14 May 2005 18:13 MTo: users@spamassassin.apache.org MSubject: Drug SPAM problem..any fixes? M MHi All, M MI am having an issue with the following DRUG related spam. Does Manyone have any rules to catch this? M--=_Part_26268598_14758651.1312519906417 MContent-Type: image/gif; M name=Frccf.GIF MContent-Transfer-Encoding: base64 MContent-ID: lrvnmnh_ywroot_rvdee M You could probably write a rule to catch it using a signature from the gif, here's an example of one I have done for some viagra/cialis spam that uses a gif full __MS_Drug_Gif /\bR0lGODlh/ full __MS__Gif /\bimage\/gif\b/i meta MS_Drug_Gif __MS_Drug_Gif __MS__Gif score MS_Drug_Gif 5 describe MS_Drug_Gif Gif Used to Advertise Meds R0lGODlh is the beginning of the gif when viewed raw Martin
RE: {SPAM} Drug SPAM problem..any fixes?
M-Original Message- MFrom: Matt Kettler [mailto:[EMAIL PROTECTED] MSent: 14 May 2005 18:37 MTo: Dan Simmons MCc: users@spamassassin.apache.org MSubject: Re: {SPAM} Drug SPAM problem..any fixes? M MDan Simmons wrote: M Hi All, M M I am having an issue with the following DRUG related spam. Does M anyone have any rules to catch this? M M Environment: SA 3.0.2 with network tests and the following MSARE rule sets: Msnip M X-SA-SysThreshold: 6.0 M 0.8 HTML_IMAGE_ONLY_20 BODY: HTML: images with M1600-2000 bytes of words M 0.1 HTML_40_50 BODY: Message is 40% to 50% HTML M 0.0 HTML_MESSAGE BODY: HTML included in message M M MFor your message I got the following (SA 2.64 with Mail::SpamCopURI) M MSpamAssassin (score=7.908, required 5,AB_URI_RBL M1.00, BAYES_00 -4.90, MBLACK_URI_RBL 2.00, HTML_MESSAGE 0.10, HTTP_ESCAPED_HOST 1.51, MINFO_GREYLIST_NOTDELAYED -0.00, JP_URI_RBL 1.00, OB_URI_RBL M2.10, SPAMCOP_URI_RBL 3.00, WS_URI_RBL 2.10) M MMost of that is URI blacklists from surbl (supported by SA M3.x by default), as well as uribl.com (not supported in Mdefault config but I added it by hand) M Trouble is with the SURBL is that you can receive a lot of these spams before they get listed, they also seem to change domain name twice a day or more to keep ahead of the listing, that's why I wanted something to block them if they don't hit any black lists. Martin
RE: spammer is using html code for spamming
M-Original Message- MFrom: Eddy Beliveau [mailto:[EMAIL PROTECTED] MSent: 12 May 2005 16:49 MTo: users@spamassassin.apache.org MSubject: spammer is using html code for spamming M MHi! M MI'm using spamassassin 2.64 with success M MI'm having problem catching some specific spammer. M MHe is using html codes to generate his page Each row of text Mis composed of word segments generated from many table row M MIs there some rule who can catch this kind of spammers ? M MThanks, MEddy M M Sa p To 80 OF R'eta il Pri ces With ED-D M ve U % F rugs! M M I have a rule which tagged this, if u want to give it a go. body MS_Body_Hide_DRUG /\b(?:R[!a-z]?eta il|P[!a-z]?ri ces|V.?I RA|C[!a-z]?I S|(?:V|U)L AM|U[!a-z]?LTRAM|S[!a-z]?MA)\b/I score MS_Body_Hide_DRUG 2.5 describe MS_Body_Hide_DRUG Trying to hide prescription drugs Martin
RE: spammer is using html code for spamming
Whoops outlook capitalised this wrong with an I instead of i at the end. This is what it should have been; body MS_Body_Hide_DRUG /\b(?:R[!a-z]?eta il|P[!a-z]?ri ces|V.?I RA|C[!a-z]?I S|(?:V|U)L AM|U[!a-z]?LTRAM|S[!a-z]?MA)\b/i
RE: Way to evade URI checks
M-Original Message- MFrom: Rakesh [mailto:[EMAIL PROTECTED] MSent: 07 May 2005 07:41 MTo: [EMAIL PROTECTED]; users@spamassassin.apache.org MSubject: Way to evade URI checks M MSeems Spammers have found a way to evade the URI checks M Mthe domain coolestrxever.com is listed in multi.surbl.org. MBut the spammers managed to to evade the URI checks by Mappending special charaters at the end of the url which are Mhappily allowed by the browsers. M MThe spam that I recieved had M Mhttp://www.coolestrxever.com: (aa colon at the end of the url) M MAfter a bit of RD I found the other options for spammers to Mcarry this techinque M Mhttp://www.coolestrxever.com; (a semicolon) Mhttp://www.coolestrxever.com, (a comma) Mhttp://www.coolestrxever.com. (a fullstop) Mhttp://www.coolestrxever.com? (a question mark) M MWith all these special characters at the end of url, URI Mchecks tries to make lookup as M Mdebug: querying for coolestrxever.com:.sc.surbl.org M MEnd result, passed the promising URI checks. M MI am seeing the first of its kind of spam. If any version of MSpamassassin fixes this in its URI retrieval program please Mlet me know M M-- There is a fix for these in the bugzilla, came in correctly caught by SURBL here, using 3.0.2. There is two fixes I have applied and seems to catch the URL split over lines too, not sure if these are included in 3.0.3, I suspect this one is. Martin
RE: [SURBL] how to report
M-Original Message- MFrom: Jeff Chan [mailto:[EMAIL PROTECTED] MSent: 04 May 2005 02:29 MTo: users@spamassassin.apache.org MSubject: Re: [SURBL] how to report M MOn Monday, May 2, 2005, 11:34:14 PM, hamann w wrote: M I just came across this website M www.webspawner.com/users/moneymakerman555 M M What is the best way to have the spam that this will likely Mcreate blocked by surbl? M M Wolfgang Hamann M MA good way to report spams is to use SpamCop. The SpamCop Mspamvertised site data goes into sc.surbl.org: M M http://www.surbl.org/lists.html#sc M Jeff, does this include the links that don't resolve when parsed by spamcop? There seem to be a lot that don't nowdays, would be nice to know that these are still included, my main reason for reporting to spamcop is to get them added to sc.surbl.org. Martin
RE: Blacklists entries not getting blocked
M-Original Message- MFrom: Antonio DeLaCruz [mailto:[EMAIL PROTECTED] MSent: 28 April 2005 23:12 MTo: Pettit, Paul MCc: users@spamassassin.apache.org MSubject: RE: Blacklists entries not getting blocked M MAttached is a file that contains the header information and Mthe preview of the message as spamassassin modified it. From Mthe body of the e-mail, you can clearly see that it is Mlooking at my blacklist, it just isn't doing anything with Mit. Well, after ramming my head into the wall to knock some Msense into me, I think that I know why it isn't. My M.procmailrc file isn't doing anything with it. Now, that Mmeans to me that spamassassin does nothing more than assign a Mscore to the e-mail and that proc mail does the actual Mfiltering and deletion. So, what it seems to me is that 1) Mthe black list in the user_prefs file is totally useless Msince you could easily put this in your .procmailrc Mfile: M M:0: M* ^From:*badaddress.com M/dev/null M Mor 2) there has to be a way in the .procmailrc file to send Mto /dev/null anything that has a score over a certain value. MI'm not finding anything on how to do that, so if you know, Mthat would be much appreciated. My only other option is to Mtake the listings in my blacklist and run them through a perl Mscript to re-write them to go into my procmailrc file. But, Msomething tells me that the processing would take longer if Mmy mail server had to parse through a huge procmailrc file. M This will send anything over 15 point to /dev/null, assuming ur using the * in the headers. :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* /dev/null
RE: SA config recommendations to block these spammers?
M-Original Message- MFrom: ROY,RHETT G [mailto:[EMAIL PROTECTED] MSent: 26 April 2005 14:51 MTo: users@spamassassin.apache.org MSubject: SA config recommendations to block these spammers? M MI have two spammers that consistently get messages through to Mmy inbox. MBased on the attached, can you make any recommendations for Mimprovements to my configuration that will help give these Mmessages a higher score? I'm calling SA (spamd, 3.0.2) as a Mcontent filter from Postfix. M MThanks, M MRhett Roy M Mdebug: Net::DNS version: 0.23 Your Net::DNS is way too old to work with 3.0*, it needs upgrading for RBL and SURBL lookups to work and like Daryl says one of the spam's had a trailing : after the URL which makes SURBL lookups fail unless the patch is applied. I did write a rule to catch these since a lot of spammers are still using this trick :- uri __SpoofPort_URL /(?:\:|\...:)/ uri __OkPort_URL /(?:\:[0-9]|\...:[0-9])/ meta MS_Spoof_Port_URL ((__SpoofPort_URL - __OkPort_URL) 0) score MS_Spoof_Port_URL 9 describe MS_Spoof_Port_URL Exploits SURBL bug in 3.0* URL with trailing : Worth having even with the patch, not had a FP on it yet. Martin
RE: SA config recommendations to block these spammers?
M-Original Message- MFrom: Chris Santerre [mailto:[EMAIL PROTECTED] MSent: 26 April 2005 21:26 MTo: 'martin smith'; Spamassassin MSubject: RE: SA config recommendations to block these spammers? M M MMartin, could we get permission to put this in a SARE file? MFull credit to you obviously! M M--Chris M Yes by all means use it Chris, nice to make a contribution. Martin
RE: Does -r reject or discard
M-Original Message- MFrom: Steven Stern MSent: 15 April 2005 15:56 MTo: spamass-milt-list@nongnu.org; spamass MSubject: Does -r reject or discard M MWe're using spamass-milter with -r 10. Does this reject Mthe message (causing Sendmail to send a reject) or just Mdiscard it? If it's a reject, how can I change it to a discard? M MI'm asking because I'm seeing stuff in our outgoing mail Mqueue that looks like reject messages. M M-- M MSteve M Hi Steve -r option tells sendmail to reject the message if it exceeds a given score. Best I can see u can do is redirect a tagged msg with -b maybe to a none excistent address, but that would be at whatever score u have spamassassin set to tag spam Martin
RE: Need for a new rule?
M-Original Message- MFrom: Andreas Davour [mailto:[EMAIL PROTECTED] MSent: 13 April 2005 21:23 MCc: users@spamassassin.apache.org MSubject: Need for a new rule? M M MThe following message have many characteristics in common with much Mspam I've been getting lately. It's about investments, often shares, Mstock options or oil. One odd thing about those messages is that they Mall, like the one quoted below, have the letter 'l' substituted for Mthe pipe character i.e. '|'. M MAre there any rule for this? Would one be hard do design? I haven't Mseen anything about is in the documentation. OR, I haven't understood Mwhat I've read... M M/Andreas I have a couple of rules I have written to catch these spams, still catching plenty right now but who knows how long for:- body MS_Hide_Yahoo /(?: [EMAIL PROTECTED]|\@ yahoo.com\b)/i score MS_Hide_Yahoo 4.5 describe MS_Hide_Yahoo Attempt to hide yahoo email address body __MS_Oil_Stock1 /\bo.l and gas\b/i body __MS_Oil_Stock2 /(?:\b\(?EOGI|\b\(?MOGI|\b\(?TDCP|\b\(?MEGJ)/i body __MS_Oil_Stock3 /(?:\bEmerson|\bmontana|\bAdeptrader|\bAtheletic)/i uri __MS_Oil_Stock4 /http\:\/\/finance\.yahoo\.com/i body __MS_Ins_Stock1 /(?:\bGRDX|\b3DIcon|\bConclusion|\binvestments?|\bmarket value)/i body __MS_Ins_Stock2 /(?:\bPenny St.ck|\bBuy Low|\bCurrent Price)/i body __MS_Ins_Stock3 /(?:jeff.[0-9]{1,[EMAIL PROTECTED]|\bst(?:0|o)cks?[0-9]{0,[EMAIL PROTECTED]|\bNo Thanks)/i body __MS_Ins_Stock4 /(?:\bst0ck|\bprice \$|\bdollars)/i meta MS_Stock ((__MS_Oil_Stock1 + __MS_Oil_Stock2 + __MS_Oil_Stock3 + __MS_Oil_Stock4 + __MS_Ins_Stock1 + __MS_Ins_Stock2 + __MS_Ins_Stock3 + __MS_Ins_Stock4) 2) score MS_Stock 5.0 describe MS_Stock Investment Stock Spam Make allowance for word-wrap, not sure how legible they will be. Martin
RE: about SPF
MI had the same problem. It turns out that if the email is being Mrelayed through trusted or internal hosts, SA will skip the MSPF checks on the belief that it cannot trust that one of Mthose hosts hasn't Mchanged the envelope headers.I ended up opening an enhancement Mrequest to allow an option to get SA to run the SPF checks if Mthe admin Mis sure that the envelope headers are not being altered. This will Mappear in 3.1, but there is a patch you can get if you want it Mearlier.See http://bugzilla.spamassassin.org/show_bug.cgi?id=4140 M I applied the patch last night, now every email from this list comes up with SPF_FAIL, some also come up with SPF_HELO_PASS, will remove the patch when I get back from work, since it doesn't seem to be working correctly. Martin
RE: about SPF
M MCould you please forward a few complete messages that Mincorrectly get an SPF fail with the patch applied. M MThe patch has no effect on SPF_HELO tests. M M MDaryl M Looks like I have to put mail.apache.org as a trusted server for this list to pass the spf test, the email direct from you passed but the one via the list failed:- Return-Path: [EMAIL PROTECTED] Received: from mta10-winn.mailhost.ntl.com (smtpout18.mailhost.ntl.com [212.250.162.18]) by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id j3C78AP5020927 for [EMAIL PROTECTED]; Tue, 12 Apr 2005 08:08:10 +0100 X-Envelope-From: [EMAIL PROTECTED] Received: from aamta07-winn.mailhost.ntl.com ([212.250.162.8]) by mta10-winn.mailhost.ntl.com with ESMTP id [EMAIL PROTECTED] ntl.com for [EMAIL PROTECTED]; Tue, 12 Apr 2005 08:08:10 +0100 Received: from smtp.film-tech.net ([66.98.221.156]) by aamta07-winn.mailhost.ntl.com with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Tue, 12 Apr 2005 08:08:06 +0100 Received: from d141-175-19.home.cgocable.net (d141-175-19.home.cgocable.net [24.141.175.19]) (authenticated user [EMAIL PROTECTED]) by smtp.film-tech.net (smtp.film-tech.net [66.98.221.156]) (Cipher TLSv1:RC4-MD5:128) (MDaemon.PRO.v6.8.5.R) with ESMTP id 12-md5000258.tmp for [EMAIL PROTECTED]; Tue, 12 Apr 2005 02:08:00 -0500 Received: from [192.168.123.141] (athlon.hamilton.dostech.net [192.168.123.141] (may be forged)) (authenticated bits=0) by d141-175-19.home.cgocable.net (8.12.8/8.12.8) with ESMTP id j3C77tM4024697 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 12 Apr 2005 03:07:57 -0400 Message-ID: [EMAIL PROTECTED] Date: Tue, 12 Apr 2005 03:08:04 -0400 From: Daryl C. W. O'Shea [EMAIL PROTECTED] User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: martin smith [EMAIL PROTECTED] CC: Spamassassin users@spamassassin.apache.org Subject: Re: about SPF References: !~!UENERkVCMDkAAQACABgARcvEzyhlCU2onpe4D+jkPsKQ jv3Tr0E/[EMAIL PROTECTED] In-Reply-To: !~!UENERkVCMDkAAQACABgARcvEzyhlCU2onpe4D+jkPsKQ jv3Tr0E/[EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-Sender: [EMAIL PROTECTED] X-MDRemoteIP: 24.141.175.19 X-Return-Path: [EMAIL PROTECTED] X-MDaemon-Deliver-To: [EMAIL PROTECTED] X-Virus-Scanned: by AMaViS - amavis-milter (http://www.amavis.org/) X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on marti.mine.nu X-Spam-Level: X-Spam-Status: No, score=-5.9 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham X-UIDL: SXH!KW_!!8n!L=U!! Return-Path: [EMAIL PROTECTED] Received: from mta09-winn.mailhost.ntl.com (smtpout17.mailhost.ntl.com [212.250.162.17]) by marti.mine.nu (8.12.6/8.12.6/SuSE Linux 0.6) with ESMTP id j3C78Wvx020936 for [EMAIL PROTECTED]; Tue, 12 Apr 2005 08:08:33 +0100 X-Envelope-From: [EMAIL PROTECTED] Received: from aamta01-winn.mailhost.ntl.com ([212.250.162.8]) by mta09-winn.mailhost.ntl.com with ESMTP id [EMAIL PROTECTED] tl.com for [EMAIL PROTECTED]; Tue, 12 Apr 2005 08:08:33 +0100 Received: from mail.apache.org ([209.237.227.199]) by aamta01-winn.mailhost.ntl.com with SMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Tue, 12 Apr 2005 08:08:33 +0100 Received: (qmail 54938 invoked by uid 500); 12 Apr 2005 07:08:10 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk list-help: mailto:[EMAIL PROTECTED] list-unsubscribe: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org List-Id: users.spamassassin.apache.org Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 54925 invoked by uid 99); 12 Apr 2005 07:08:10 - X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS Received-SPF: pass (hermes.apache.org: domain of [EMAIL PROTECTED] designates 66.98.221.156 as permitted sender) Received: from smtp.film-tech.net (HELO smtp.film-tech.net) (66.98.221.156) by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 12 Apr 2005 00:08:06 -0700 Received: from d141-175-19.home.cgocable.net (d141-175-19.home.cgocable.net [24.141.175.19]) (authenticated user [EMAIL PROTECTED]) by smtp.film-tech.net (smtp.film-tech.net [66.98.221.156]) (Cipher TLSv1:RC4-MD5:128) (MDaemon.PRO.v6.8.5.R) with ESMTP id 12-md5000258.tmp for users@spamassassin.apache.org; Tue, 12 Apr 2005 02:08:00 -0500 Received: from [192.168.123.141] (athlon.hamilton.dostech.net [192.168.123.141] (may be forged)) (authenticated bits=0) by d141-175-19.home.cgocable.net (8.12.8/8.12.8) with ESMTP id j3C77tM4024697 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify
Sender Base
Hi, I have been playing about with senderbase a bit and have noticed that SB_NSP_VOLUME_SPIKE is looking for S5 to be NSP but have also noticed that they use unknown and in the case of my provider NTL the field is blank. I tried: header SB_NSP_VOLUME_SPIKE eval:check_rbl_sub('sb', 'sb:S5 =~ /[^ISP]/ S41 3.8 S40 - S41 0.3') Which works fine with NSP results, didn't try on an unknown but still doesn't work if the field is blank, just wondering how this can be altered to fire when the field is missing. I have also noticed that that S25 on SB_NEW_BULK is giving out the same number for all queries I have done, 25=1049184000, probably explains why this rule never fires. Martin
RE: [SPAM-TAG] SURBL missing this spam
I managed to write a metarule for anyone interested, to catch a URL with trailing : without a port specified, without FP on a 4 digit port. uri __SpoofPort_URL /.*\:.*|.*\...:.*/ uri __OkPort_URL /.*\:[0-9]|.*\:[0-9].+\/.*|.*\...:[0-9]|.*\...:[0-9].+\/.*/ meta Spoof_Port_URL (( __SpoofPort_URL - __OkPort_URL) 0) score Spoof_Port_URL 5 describe Spoof_Port_URL URL with trailing : but no port specified Martin
RE: [SPAM-TAG] SURBL missing this spam
|-Original Message- |From: Theo Van Dinter [mailto:[EMAIL PROTECTED] |Sent: 05 March 2005 01:27 |To: SpamAssassin Users |Subject: Re: [SPAM-TAG] SURBL missing this spam | |On Fri, Mar 04, 2005 at 05:23:35PM -0800, Jeff Chan wrote: | Given that it's apparently fixed in 3.1 should we make a bugzilla? | Might it be worth reviewing that the expression or code was | specifically fixed to explain this (better) behavior? | Or would that be unnecessary? | |I wouldn't bother with a ticket. We're trying to get 3.1 out |as opposed to a 3.0.3. I also don't know if the issue is |simple to fix in 3.0 or not. 3.1 has had a lot of work done |to it since 3.0. ;) | Is there a uri rule we could use to catch e.g. .com: or .uk: in the mean time untill 3.1 becomes available, there is a posibility other spammers may try using this technique to exploit the bug. I tried uri BadPort_URL /.???:|.??:/ but was an invalid regexp, I have never tried to write any rules before so havent a clue of the allowed formats, sure its quite simple to those that do. I also put this one in but like someone else said this will probably now be defunct; uri Crazy_URL /crazyrxl0wprices.com:/ score Crazy_URL 10 Martin
RE: [SPAM-TAG] SURBL missing this spam
|-Original Message- |From: martin smith [mailto:[EMAIL PROTECTED] |Sent: 05 March 2005 11:41 |To: Spamassassin |Subject: RE: [SPAM-TAG] SURBL missing this spam | |Is there a uri rule we could use to catch e.g. .com: or .uk: |in the mean time untill 3.1 becomes available, there is a |posibility other spammers may try using this technique to |exploit the bug. | |I tried uri BadPort_URL /.???:|.??:/ but was an invalid |regexp, I have never tried to write any rules before so havent |a clue of the allowed formats, sure its quite simple to those that do. |I also put this one in but like someone else said this will |probably now be defunct; | |uri Crazy_URL /crazyrxl0wprices.com:/ |score Crazy_URL 10 | Ok I have done a bit of reading up and got this rule to work, would appreciate someone to check it over to make sure I havent made a rule that will FP uri SpoofPort_URL /.*\:.*|.*\...:.*/ score SpoofPort_URL 1 Will up the score once I am satisfied I get no FP's Martin
RE: [SPAM-TAG] SURBL missing this spam
| |uri SpoofPort_URL /.*\:.*|.*\...:.*/ score SpoofPort_URL 1 | Ok MK2 that one could FP on genuine URLs with a port specified uri SpoofPort_URL /.*\:.*|.*\...:.*/ score SpoofPort_URL 1 uri OkPort_URL /.*\:|.*\...:./|/.*\:\/.*|.*\...:.\/.*/ score OkPort_URL -1 Sorry for so many posts, this is a learning curve for me, sure this can be done better possibly with a meta rule but that's getting way too much above me for now. This will do till someone comes up with a better rule or fix.
RE: [SPAM-TAG] SURBL missing this spam
|-Original Message- |From: Duncan Hill [mailto:[EMAIL PROTECTED] |Sent: 05 March 2005 15:02 |To: users@spamassassin.apache.org |Subject: Re: [SPAM-TAG] SURBL missing this spam | |On Saturday 05 March 2005 14:49, martin smith wrote: | |uri SpoofPort_URL /.*\:.*|.*\...:.*/ score SpoofPort_URL 1 | | Ok MK2 that one could FP on genuine URLs with a port specified | | uri SpoofPort_URL /.*\:.*|.*\...:.*/ score SpoofPort_URL 1 uri | OkPort_URL | /.*\:|.*\...:./|/.*\:\/.*|.*\...:.\/.*/ | score OkPort_URL -1 | |Hmm.. the variant I came up with doesn't use the uri tag, instead: |bodySURBL_DODGE /http(s)?|ftp:\/\/.*:\// |score SURBL_DODGE 5 | |The only problem being that it can score on a url like |http://some.good.site/fred:/ | |Why someone would have a : in the path or query, I don't know, |but it's a posssibilty. Unfortunately that will FP if u have any text after the URL with :/ E.g Take a look at http://some.good.site you never know:/ |
SURBL missing this spam
I must have received this spam 12 times or more in the last 24 hours and even though its listed on the SURBL, spamassassin fails to match it against them. When I submit the spams to spamcop it parses the url everytime. SURBL seems to work on all other spams, just wondering if they have found a way to avoid spamassassin catching the URL. Martin Received: from localhost by marti.mine.nuwith SpamAssassin (version 3.0.2);Fri, 04 Mar 2005 19:41:42 + From: Valium $69.95, Cialis $89.95, Viagra $69.95, Phen $69.95, Soma $59.95 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: **SPAM** RE: Refill Date: Fri, 04 Mar 2005 14:44:12 -0500 Message-Id: [EMAIL PROTECTED] X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on marti.mine.nu X-Spam-Level: ** X-Spam-Status: Yes, score=14.2 required=5.0 tests=BAYES_99,HTML_90_100,HTML_IMAGE_ONLY_12,HTML_MESSAGE,RAZOR2_CF_RANGE_5 1_100,RAZOR2_CHECK,RCVD_IN_NERDS_KR autolearn=no MIME-Version: 1.0 Content-Type: text/plain X-UIDL: j4n!!]Si!ICE!!2o0! Spam detection software, running on the system marti.mine.nu, has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see [EMAIL PROTECTED] for details. Content preview: ONLINE PHARMACY Next-Day Shipping! Buy from the Leading Online Pharmacy! [...] Content analysis details: (14.2 points, 5.0 required) pts rule name description -- -- 0.2 HTML_90_100BODY: Message is 90% to 100% HTML 2.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words 0.2 HTML_MESSAGE BODY: HTML included in message 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 4.9 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 2.4 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 3.5 RCVD_IN_NERDS_KR RBL: Received from South Korea [222.109.74.199 listed in zz.countries.nerd.dk] The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. ---BeginMessage--- ONLINE PHARMACY Next-Day Shipping! Buy from the Leading Online Pharmacy! BMM1.JPG---End Message---
RE: pyzor
Just found this, could be the cause of some of the problems. 2005-02-04 The public server changed its address; please re-run 'pyzor discover' to find the new server. http://pyzor.sourceforge.net/ Martin
RE: SPEWS still sucks
|-Original Message- |Don Levey wrote: | |It was pointed out to me that SURBL lists only check URLs - I |apologise for that. I *am* getting the problem described |above with hits on Spamcop and SORBS. Additionally, |apparently even the mere text mention of a .biz address |triggers that flag - even though it talks about a URL. For |example, on one mailing list there is a poster who posts from |a .biz address. Any thread to which he posts is automatically |contaminated, because his address is included in the text of |the message - even though these are NOT URLs. | Just a thought but have you manualy checked these URL's against the SURBL list, there have been cases reported of false positives by spamassassin, when in fact the SURBL dosent have them listed. I think a bugzilla was opened on this. Martin
RE: sa3.02 problems?
|At 02:59 PM 1/26/2005, Dave Stern - Former Rocket Scientist wrote: |I put score ALL_TRUSTED 0 in my user_prefs and the |message was |detected as spam. I tried putting this iN LOcal.cf and it didn't work. | |If that didn't work, then one of two cases happened: | 1) your local.cf was full of garbage and was ignored. |Run spamassassin --lint and it should run quitely. | | 2) you used the wrong location for local.cf. Check |spamassassin --lint -D and see what the site rules dir is. | Also if you are running spamd you need to restart it for any changes in local.cf to take effect
RE: Nigerian spams hit BAYES_00
|-Original Message- | |I can't say I've looked at very many of the 100,000 hams. I |have a quarantine area where I can skim through the spam and |borderline stuff, but I don't keep a copy of the ham. |However, to be learned as ham, the Nigerian messages would |have to score below 0.5, and I don't think that's likely. Of |course, there could be other messages that have some of the |same tokens as Nigerian messages and that are being scored as |ham. But they might actually BE ham. | | Lower your BAYES_00 score? (Towards zero, that is) | |That's what I'm doing unless I can find something better. | If you can't verify that hams are in fact hams you should probably turn autolearn off and feed sa-learn with some ham messages. This is very important at the beginning of training when the bayes dosent know ham from spam but after time it gets more and more accurate and auto-learn is pretty reliable then. You can try to feed the nigerian spams into sa-learn and see if that corrects it, but it might be quicker to dump the bayes db and start again with autolearn turned off to start with.
RE: Nigerian spams hit BAYES_00
|-Original Message- |From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf |Of Rosenbaum, Larry M. |Sent: 21 January 2005 18:47 |To: users@spamassassin.apache.org |Subject: Nigerian spams hit BAYES_00 | |Using SpamAssassin 3.0.2 on Solaris 2.6, Perl 5.8.6. | |For some reason, I'm getting BAYES_00 scores on a lot of our |Nigerian scam mail (and sometimes lottery scams). Most other |spam scores at reasonably high Bayes values (like 95, 80, or |at worst 50). Most of the training has been done with |autolearning using the default autolearn parameters, but I |have also manually trained some spam, including lots of |Nigerian spam (probably dozens of them). Here is some data: | |# sa-learn --dump magic |0.000 0 3 0 non-token data: bayes |db version |0.000 0 3560 0 non-token data: nspam |0.000 0 104457 0 non-token data: nham |0.000 0 660517 0 non-token data: ntokens |0.000 0 1106229013 0 non-token data: oldest atime |0.000 0 1106331575 0 non-token data: newest atime |0.000 0 0 0 non-token data: last |journal sync atime |0.000 0 1106284398 0 non-token data: last |expiry atime |0.000 0 55318 0 non-token data: last |expire atime delta |0.000 0 277915 0 non-token data: last |expire reduction count | Your ratio of ham to spam shows you have a lot more ham than spam trained, are you sure its not been learning spam has ham, so poisening your bayes database. Martin
RE: SA 3 - I'm Totally Stuck!
|-Original Message- |From: bubba [mailto:[EMAIL PROTECTED] |Sent: 07 January 2005 10:28 |To: users@spamassassin.apache.org |Subject: SA 3 - I'm Totally Stuck! | |Hi, | |I'm trying to install Spamassassin 3 on a Linux box w/Ensim |control panel installed, but I'm experiencing a variety of |errors. I've modified each users' .procmailrc file, but the |logs are showing that spamc cannot be found (regardless of how |I address it, and I know it's there - I can run it from the |command line). Copying spamc to each users' home directory |allows it to be run, but it then has difficulty chmodding to |the correct user, and the logs report that the user cannot be |found. If I try copying the spamassassin file to the users' |directory, this also runs, but gives a perl error. | |My procmail log file shows messages like the following: | |//*** |From [EMAIL PROTECTED] Thu |Jan 6 |13:28:05 2005 | Subject: New Year, New You--save up to 50% and discover great |ways to change y | Folder: /var/spool/mail/mil |47993 |/usr/bin/spamc: /usr/bin/spamc: cannot execute binary file |procmail: Error while writing to /usr/bin/spamc |procmail: Rescue of unfiltered data succeeded |//*** | |My .procmailrc file is as follows: | |//*** |DROPPRIVS=yes |LOGFILE=$HOME/procmail.log | |:0fw: spamassassin.lock || /usr/bin/spamc -u [EMAIL PROTECTED] Drop the -u [EMAIL PROTECTED], its not needed since its being run as the user and is semi-obsolete anyway. Plus you don't put @domain for a username. Martin
RE: DCC and Razor2 have completely stopped hitting
|-Original Message- |From: Robert Markin [mailto:[EMAIL PROTECTED] |Sent: 07 January 2005 10:00 |To: users@spamassassin.apache.org |Subject: DCC and Razor2 have completely stopped hitting | |I hope that I am sending this to the correct address | |-- |I am running SA 3.0 |on RH9 |using Sendmail 8.12.8 and Procmail 3.22. | |Procmail invokes SA by | /usr/bin/spamc I control the RH9 |machine via SSH using PuTTy |-- | |When I set everything up a few months ago it worked great. |Meaning I would get hits on most of the add-ons like DCC and Razor2. | |Now I do not ever get hits from either of these two. Is there |some way that I can check to see if something has become |fowled-up? If I try to run spamassassin with the -D --lint |options, it creates an output so long that I cannot scroll to |the top to see if there are any problems. | To give yourself more scrollback, you need to increase the number of lines in your putty configuration, under the window tab. Martin
RE: SA 3 - I'm Totally Stuck!
|-Original Message- |From: bubba [mailto:[EMAIL PROTECTED] |Sent: 07 January 2005 11:04 |To: users@spamassassin.apache.org |Subject: RE: SA 3 - I'm Totally Stuck! | | Drop the -u [EMAIL PROTECTED], its not needed since its being run | as the user and is semi- obsolete anyway. Plus you don't |put @domain | for a username. | | Martin | |The @ symbol does actually exist in the username - the -u |[EMAIL PROTECTED] |parameter worked OK in SA 2.6. | |I've tried removing -u [EMAIL PROTECTED] as suggested, |which has changed the error in my procmail log to: | |/usr/bin/spamc: /usr/bin/spamc: cannot execute binary file |procmail: Program failure (126) of /usr/bin/spamc |procmail: Rescue of unfiltered data succeeded |From [EMAIL PROTECTED] Fri Jan 7 10:47:44 2005 | Subject: spam test | Folder: /var/spool/mail/mil | |Is this a problem with permissions? If I SSH into the box I |can run /usr/bin/spamc from the command line and it works just fine. | |mil. | I notice my .procmailrc has a lot more enviroment settings, don't know enough about procmail to know if they are all needed but here's my .procmailrc as an expample that works fine for various users:- SHELL=/bin/sh PATH=/bin:/usr/bin PMDIR=$HOME/.procmail LOGABSTRACT=all LOGFILE=$PMDIR/proclog #recommended VERBOSE=off #Spamassassin start :0fw: spamc.lock * 256000 | /usr/bin/spamc #| spamassassin :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*\*\*\*\*\* /dev/null :0: * ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\* /home/ntl/mail/spam10 :0: * ^X-Spam-Status: Yes /home/ntl/mail/spam5 # Work around procmail bug: any output on stderr will cause the F in From # to be dropped. This will re-add it. :0 * ^^rom[ ] { LOG=*** Dropped F off From_ header! Fixing up. :0 fhw | sed -e '1s/^/F/' } #Spamassassin end I can't see it being permisions since you say they work ok from a comand line, so would think it's a procmail problem. Martin
RE: spamc/spamassassin = different scores
|-Original Message- |From: Kevin Curran [mailto:[EMAIL PROTECTED] |Sent: 27 December 2004 07:09 |To: users@spamassassin.apache.org |Subject: spamc/spamassassin = different scores | |Hello list, | |I don't know about you all, but I've been getting a lot of |false negatives that have a hit on the ALL_TRUSTED test. So, |I disabled that test in local.cf. Now, I'm running SA on |FreeBSD using sendmail and procmail. |When the user's .procmailrc calls spamassassin it seems to |honor local.cf. |But when the .procmailrc calls spamc and spamd is running, it |seems to ignore local.cf. | |Tests show that an email will get a different score depending |on whether spamassassin or spamc is called. | |What's up with that? | |Thanks! | It sounds like you didn't restart spamd after you changed the local.cf file. Martin
RE: low scoring SPAM
|-Original Message- |From: alan premselaar [mailto:[EMAIL PROTECTED] |Sent: 04 December 2004 15:23 |To: users@spamassassin.apache.org |Subject: low scoring SPAM | |I've recently (about a month ago) installed a new mail server and |upgraded to SA 3.01. I've been training the bayes database by hand |(most of our mail is japanese and the autolearning wasn't a good way to |start the bayes learning) | |anyways, I'm not using any custom or 3rd party rules. I'm a little |baffled why the following email scored so low. i'm also a little |puzzled why the BAYES_99 has such a low score. |i'm tempted to crank it up a bit, but concerned about how that will |effect the system in general and also concerned about false positives. | |can anyone give me some insight? | |thanks | |alan | |P.S. in the past i've refrained from sending the why didn't this mail |score higher types of messages to the list, but I've been seeing a |pattern of hitting BAYES_99 and not many other rules. | I upped my scoring almost stright the way, the explanations I have heard for it being so low is to lower the number of FP's but lower bayes matches score higher which makes no comon sense at all, I use the following scores and they work well for me but you will have to make your own judgment on that:- score BAYES_00 0 0 -1.665 -4.9 score BAYES_05 0 0 -0.925 -2.5 score BAYES_20 0 0 -0.730 -1.0 score BAYES_40 0 0 -0.276 -0.5 score BAYES_50 0 0 1.567 0.001 score BAYES_60 0 0 3.515 0.5 score BAYES_80 0 0 3.608 1.0 score BAYES_95 0 0 3.514 2.5 score BAYES_99 0 0 4.070 4.9 It's the RH column which counts for me, ignore the LH one, think that's the default Martin