Re: FPs on RCVD_IN_SORBS_WEB
On 03/09/2017 06:29 PM, Kevin A. McGrail wrote: On 3/9/2017 12:26 PM, Axb wrote: On 03/09/2017 06:14 PM, Kevin A. McGrail wrote: On 3/9/2017 12:04 PM, Cedric Knight wrote: Compared to RCVD_IN_SORBS_SPAM, which I think Axb manually adjusted down to 0.5 back in September, RCVD_IN_SORBS_WEB hits about a tenth as much, atm there's a ton of hacked web servers spewing spam so I'm ok with lowering the score but sugggest we try going with 1.5 and see how it goes. Comments? +1 in absence of more comments I've... COMMIT/trunk/rules/50_scores.cf Committed revision 1786225. score RCVD_IN_SORBS_WEB 0 1.5 0 1.5
Re: FPs on RCVD_IN_SORBS_WEB
On 3/9/2017 12:26 PM, Axb wrote: On 03/09/2017 06:14 PM, Kevin A. McGrail wrote: On 3/9/2017 12:04 PM, Cedric Knight wrote: Compared to RCVD_IN_SORBS_SPAM, which I think Axb manually adjusted down to 0.5 back in September, RCVD_IN_SORBS_WEB hits about a tenth as much, atm there's a ton of hacked web servers spewing spam so I'm ok with lowering the score but sugggest we try going with 1.5 and see how it goes. Comments? +1 -- *Kevin A. McGrail* CEO Peregrine Computer Consultants Corporation 10311 Cascade Lane Fairfax, VA 22032 http://www.pccc.com/ 703-359-9700 x50 / 800-823-8402 (Toll-Free) 703-798-0171 (wireless) kmcgr...@pccc.com <mailto:kmcgr...@pccc.com>
Re: FPs on RCVD_IN_SORBS_WEB
On 03/09/2017 06:14 PM, Kevin A. McGrail wrote: On 3/9/2017 12:04 PM, Cedric Knight wrote: Well, not based on mass checks or any advanced analysis or anything, it just stops obvious Facebook etc ham being marked as spam, so working much better than the previous score of 3.253. Compared to RCVD_IN_SORBS_SPAM, which I think Axb manually adjusted down to 0.5 back in September, RCVD_IN_SORBS_WEB hits about a tenth as much, but with a hit similarly being about a 25% risk of being a FP. I could write some local rules to try separating out the lastexternal hits and see if it eliminates some FPs, but I doubt it will. There was some other experience upthread of RCVD_IN_SORBS_WEB (eg from Steve Zinski) being a problem. If a related rule had to be adjusted down, it makes sense that this might have similar troubles. Axb, do you agree we should lower/cap this rule at 0.5 as well? If the FP rate is as high as Cedric mentions, this might be considered for removal but we can address that after a rule score adjustment. Regards, KAM atm there's a ton of hacked web servers spewing spam so I'm ok with lowering the score but sugggest we try going with 1.5 and see how it goes. Comments?
Re: FPs on RCVD_IN_SORBS_WEB
On 3/9/2017 12:04 PM, Cedric Knight wrote: Well, not based on mass checks or any advanced analysis or anything, it just stops obvious Facebook etc ham being marked as spam, so working much better than the previous score of 3.253. Compared to RCVD_IN_SORBS_SPAM, which I think Axb manually adjusted down to 0.5 back in September, RCVD_IN_SORBS_WEB hits about a tenth as much, but with a hit similarly being about a 25% risk of being a FP. I could write some local rules to try separating out the lastexternal hits and see if it eliminates some FPs, but I doubt it will. There was some other experience upthread of RCVD_IN_SORBS_WEB (eg from Steve Zinski) being a problem. If a related rule had to be adjusted down, it makes sense that this might have similar troubles. Axb, do you agree we should lower/cap this rule at 0.5 as well? If the FP rate is as high as Cedric mentions, this might be considered for removal but we can address that after a rule score adjustment. Regards, KAM
Re: FPs on RCVD_IN_SORBS_WEB
On 09/03/17 13:26, Kevin A. McGrail wrote: > On 3/9/2017 8:22 AM, Cedric Knight wrote: >> I've reduced the score on my installation to 0.5. Would this kind of >> thing be prevented by more people contributing to the mass checks? Or >> could it be adjusted downwards as Alex suggested? > > I don't know if it's a floating rule but it sounds like it needs manual > adjustment down. How has 0.5 been working for you? Well, not based on mass checks or any advanced analysis or anything, it just stops obvious Facebook etc ham being marked as spam, so working much better than the previous score of 3.253. Compared to RCVD_IN_SORBS_SPAM, which I think Axb manually adjusted down to 0.5 back in September, RCVD_IN_SORBS_WEB hits about a tenth as much, but with a hit similarly being about a 25% risk of being a FP. I could write some local rules to try separating out the lastexternal hits and see if it eliminates some FPs, but I doubt it will. There was some other experience upthread of RCVD_IN_SORBS_WEB (eg from Steve Zinski) being a problem. CK
Re: FPs on RCVD_IN_SORBS_WEB
On 3/9/2017 8:22 AM, Cedric Knight wrote: I've reduced the score on my installation to 0.5. Would this kind of thing be prevented by more people contributing to the mass checks? Or could it be adjusted downwards as Alex suggested? I don't know if it's a floating rule but it sounds like it needs manual adjustment down. How has 0.5 been working for you?
FPs on RCVD_IN_SORBS_WEB
On 11/09/16 22:10, Alex wrote: >> COMMIT/trunk/rules/50_scores.cf >> >> Committed revision 1760066. >> >> score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5 >> >> should show up after next SA update > > Has RCVD_IN_SORBS_WEB been considered for adjustment as well? It's > hitting a lot more ham than spam here, including mail from facebook. Over the last four months I've seen a fair number of false positives from RCVD_IN_SORBS_WEB, including Facebook, Google, HaveIBeenPwned and various legit servers. A Facebook example: 145.144.220.66.dnsbl.sorbs.net. 3600 IN TXT "Exploitable Server See: http://www.sorbs.net/lookup.shtml?66.220.144.145; The rule scored 3.253 in November, which has fallen to 2.034 now. This still seems high for a RBL, particularly one that does deep-parsing, i.e. isn't -lastexternal, and hits end users (not servers) listed in the x-originating-ip header. To be fair, it is hitting some malware and carder spam too, but not much that would otherwise be missed. The list is described as: web.dnsbl.sorbs.net - List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts) Note: This zone now includes non-webserver IP addresses that have abusable vulnerabilities. I've reduced the score on my installation to 0.5. Would this kind of thing be prevented by more people contributing to the mass checks? Or could it be adjusted downwards as Alex suggested? CK
RCVD_IN_SORBS_WEB
why is the weighting for RCVD_IN_SORBS_WEB scores 0 0 0 then 0.007... I know there is probably a good reason for this low a score but could someone explain it to me please as I have one very irate user who likes nothing better than to pick holes in spamassassin, which in turn is a headache for me. apparently 1 spam every week is still not good enought protection for him. thanks ronan begin:vcard fn:Ronan McGlue n:McGlue;Ronan email;internet:ronan(dot)mcglue(at)qub(dot)ac(dot)uk x-mozilla-html:FALSE version:2.1 end:vcard
Re: RCVD_IN_SORBS_WEB
Ronan McGlue wrote: why is the weighting for RCVD_IN_SORBS_WEB scores 0 0 0 then 0.007... I know there is probably a good reason for this low a score but could someone explain it to me please as I have one very irate user who likes nothing better than to pick holes in spamassassin, which in turn is a headache for me. Looking at statistics.txt it's got a low overall hitrate, and while it's S/O is fairly good, it does in fact hit some nonspam. Without combing the entire mass-check results of the corpus, it would be impossible to determine the cause. However, I suspect that those few nonspams were also being hit by other rules and the perceptron was forced to compromise the score of this rule in order to avoid FPs. Remember, SA's score evolver will accept 100 FN's before it will accept 1 FP. Which really is a good thing. FP's hurt, lots.. FN's are a nuisance, but they don't cause loss of mail. Since it's got that policy, the perceptron will try very hard to avoid the FP. Even if it means letting some spam slip by, it's better than tagging a bunch of legitimate mail.
Re: RCVD_IN_SORBS_WEB
Paolo Cravero as2594 wrote: Same goes for who asks to unblock certain messages. They are told they can decide to have spam pass through (periodical automatic quarantine unlock, actually). In less than a day they usually beg to restore their antispam protection (and who cares for that job-unrelated mailing list!). That reminds me of a customer we had who asked us to disable all spam filtering on his account. A few months later he cancelled because he was receiving too much spam. A definite *headdesk* moment. -- Kelson Vibber SpeedGate Communications www.speed.net