Re: SARE false positives on MY_CID_* rules
On Thu, 2009-01-29 at 18:21 +0100, Michael Monnerie wrote: At least on our generally german e-mails, the following rules very often cause false positives: Rings a bell. I believe these have been brought up to FP just a few weeks ago. The scores aren't particular lightweight, and (from memory) they seem to tend to fire in batches. They are part of 70_sare_stocks and I'd like to know if others do not have this problem or if it's a speciality of german e-mails? I looked into the ruleset and found that all of the MY_CID rules refer to spam from 2006. Maybe those rules can be dismissed by now? Due to Ninjas being busy with lives, wives hockey matches, SARE rules aren't being updated. -- http://www.rulesemporium.com/ Probably not much luck here. Using rules which have not been mass- checked in years comes with a certain obligation... ;) You can disable them in local.cf, if you find other rules to still be efficient. guenther -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
RE: SARE false positives on MY_CID_* rules
At least on our generally german e-mails, the following rules very often cause false positives: 1.6 MY_CID_AND_CLOSING SARE cid and closing 1.5 MY_CID_AND_STYLE SARE cid and style 1.6 MY_CID_ARIAL2_CLOSING SARE cid arial2 closing 1.6 MY_CID_ARIAL_STYLE SARE cid arial2 style 1.5 MY_CID_AND_ARIAL2 SARE CID and Arial2 They are part of 70_sare_stocks and I'd like to know if others do not have this problem or if it's a speciality of german e-mails? I looked into the ruleset and found that all of the MY_CID rules refer to spam from 2006. Maybe those rules can be dismissed by now? mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at michael, not that it will shatter the earth, yet on a lower traffic server we see this Total: 247677 Ham: 127925 Spam: 119752 70_sare_stocks.cf: Rule Name Score Ham Spam %of Ham %of Spam --- MY_CID_AND_ARIAL2 1.46 2115274 1.65% 0.23% MY_CID_AND_CLOSING 1.60133 97 0.10% 0.08% MY_CID_AND_STYLE 1.54412285 0.32% 0.24% MY_CID_FONT0.92 81 44 0.06% 0.04% MY_CID_ARIAL2_CLOSING 1.63 6 59 0.00% 0.05% MY_CID_ARIAL_STYLE 1.58117171 0.09% 0.14% this is on what would be mostly english based emails... would that indiate we should pull these specific rules? :-) - rh
Re: SARE false positives on MY_CID_* rules
On Thursday 29 January 2009 18:21, Michael Monnerie wrote: At least on our generally german e-mails, the following rules very often cause false positives: 1.6 MY_CID_AND_CLOSING SARE cid and closing 1.5 MY_CID_AND_STYLE SARE cid and style 1.6 MY_CID_ARIAL2_CLOSING SARE cid arial2 closing 1.6 MY_CID_ARIAL_STYLE SARE cid arial2 style 1.5 MY_CID_AND_ARIAL2 SARE CID and Arial2 They are part of 70_sare_stocks and I'd like to know if others do not have this problem or if it's a speciality of german e-mails? I brought up that problem a while ago on this list. As the sare rules aren't maintained any more I created this rule: meta MY_CID_BUG MY_CID_AND_STYLE MY_CID_AND_ARIAL2 MY_CID_ARIAL_STYLE MY_CID_AND_CLOSING MY_CID_ARIAL2_CLOSING describe MY_CID_BUG when 6 MY_CID_* rules hit, correct the score scoreMY_CID_BUG -3 After activating the rule I haven't seen any more FP. But that doesn't mean much. Here are my stats from yesterday: Rank Hits% Msgs % Spam% Ham Score Rule -- --- - 3472 0.01%0.06%0.22% 1.46 MY_CID_AND_ARIAL2 3711 0.01%0.03%0.02% 1.54 MY_CID_AND_STYLE 0 0.01%0.00%0.02% 1.58 MY_CID_ARIAL_STYLE I looked into the ruleset and found that all of the MY_CID rules refer to spam from 2006. Maybe those rules can be dismissed by now? Yes, looks like that. mfg zmi Greetings Stefan pgpAl7yvZr98E.pgp Description: PGP signature