Re: Score 0.001

[Thomas Barth via users]

Am 2024-05-13 04:33, schrieb jdow:

Um, "FORGED_SPF_HELO"? Are you sure this message is from MS?

{^_^}


The mail/report is authentic. They already corrected this "error" or 
changed the sending server. In today's report FORGED_SPF_HELO is 0.001 
and the score is below 5 :)



On 20240512 06:56:59, Thomas Barth wrote:


Am 2024-05-12 12:39, schrieb Greg Troxel:


I would suggest that if Debian is modifying the default config
from 5 to
6.31, then probably they should not be doing that.


This is a status of dmarc-report from microsoft today

X-Spam-Status: Yes, score=5.938 tagged_above=2 required=6.31
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001,
BASE64_LENGTH_78_79=0.1,
BASE64_LENGTH_79_INF=2.019, DKIMWL_WL_MED=-0.001,
DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DMARC_PASS=-0.001, FORGED_SPF_HELO=1,
HTML_MESSAGE=0.001,
MIME_BASE64_TEXT=0.001, MIME_HTML_MOSTLY=0.1,
MPART_ALT_DIFF=0.724,
PYZOR_CHECK=1.985, RCVD_IN_MSPIKE_H2=-0.001,
SPF_HELO_PASS=-0.001,
T_TVD_MIME_NO_HEADERS=0.01]

A strike level of 5 is too low for microsoft mails ;-)

Re: Score 0.001

[jdow]

Um, "FORGED_SPF_HELO"? Are you sure this message is from MS?

{^_^}

On 20240512 06:56:59, Thomas Barth wrote:

Am 2024-05-12 12:39, schrieb Greg Troxel:

I would suggest that if Debian is modifying the default config from 5 to
6.31, then probably they should not be doing that.


This is a status of dmarc-report from microsoft today

X-Spam-Status: Yes, score=5.938 tagged_above=2 required=6.31
    tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BASE64_LENGTH_78_79=0.1,
    BASE64_LENGTH_79_INF=2.019, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1,
    DKIM_VALID=-0.1, DMARC_PASS=-0.001, FORGED_SPF_HELO=1, HTML_MESSAGE=0.001,
    MIME_BASE64_TEXT=0.001, MIME_HTML_MOSTLY=0.1, MPART_ALT_DIFF=0.724,
    PYZOR_CHECK=1.985, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
    T_TVD_MIME_NO_HEADERS=0.01]

A strike level of 5 is too low for microsoft mails ;-)

Re: Score 0.001

[Benny Pedersen]

Thomas Barth skrev den 2024-05-12 15:56:

Am 2024-05-12 12:39, schrieb Greg Troxel:
I would suggest that if Debian is modifying the default config from 5 
to

6.31, then probably they should not be doing that.


This is a status of dmarc-report from microsoft today

X-Spam-Status: Yes, score=5.938 tagged_above=2 required=6.31
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BASE64_LENGTH_78_79=0.1,
BASE64_LENGTH_79_INF=2.019, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DMARC_PASS=-0.001, FORGED_SPF_HELO=1, 
HTML_MESSAGE=0.001,

MIME_BASE64_TEXT=0.001, MIME_HTML_MOSTLY=0.1, MPART_ALT_DIFF=0.724,
PYZOR_CHECK=1.985, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
T_TVD_MIME_NO_HEADERS=0.01]

A strike level of 5 is too low for microsoft mails ;-)


X-Spam-Status: No, score=-0.719 tagged_above=-999 required=5
tests=[AUTHRES_DKIM_PASS=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001,
KAM_NUMSUBJECT=0.4, MAILING_LIST_MULTI=-0.1, RCVD_IN_MSPIKE_H4=-0.01,
RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.1, SPF_PASS=-0.1,
USER_IN_DEF_SPF_WL=-0.2] autolearn=unavailable autolearn_force=no

AuthRes is nice :)

Re: Score 0.001

[Thomas Barth]

Am 2024-05-12 12:39, schrieb Greg Troxel:
I would suggest that if Debian is modifying the default config from 5 
to

6.31, then probably they should not be doing that.


This is a status of dmarc-report from microsoft today

X-Spam-Status: Yes, score=5.938 tagged_above=2 required=6.31
tests=[ARC_SIGNED=0.001, ARC_VALID=0.001, BASE64_LENGTH_78_79=0.1,
BASE64_LENGTH_79_INF=2.019, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DMARC_PASS=-0.001, FORGED_SPF_HELO=1, 
HTML_MESSAGE=0.001,

MIME_BASE64_TEXT=0.001, MIME_HTML_MOSTLY=0.1, MPART_ALT_DIFF=0.724,
PYZOR_CHECK=1.985, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001,
T_TVD_MIME_NO_HEADERS=0.01]

A strike level of 5 is too low for microsoft mails ;-)

Re: Score 0.001

[Matus UHLAR - fantomas]

On 12.05.24 06:39, Greg Troxel wrote:

I would suggest that if Debian is modifying the default config from 5 to
6.31, then


as it was already said, it's not Debian, it's default score in amavis.
Even the original header is in the amavis format:


X-Spam-Status: No, score=3.999 tagged_above=2 required=6.31
tests=[DMARC_MISSING=0.001, FSL_BULK_SIG=0.001, 


Amavis has some more scores than stock SA, of course they can be modified if 
your scanner is well trained.




--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.

Re: Score 0.001

[Greg Troxel]

I would suggest that if Debian is modifying the default config from 5 to
6.31, then

  probably they should not be doing that.  as a packager, I fix bugs
  (and file upstream bug reports), but it's usually linuxy
  nonportability things that are clearly bugs (test ==, hardcoded lists
  of accepted operating systems, etc.).  This is a difference in
  judgement.

  if they are applying a difference in judgement, the package
  description should disclose this really clearly.  Hard to tell what's
  going on, but this appears to be new to most people here.
  

Re: Score 0.001

[Thomas Barth]

Am 2024-05-12 01:08, schrieb jdow:

Methinks this is a perfect example of "one man's spam is another man's
ham." Or in my case, "A woman's spam is often a man's ham."


I like spam when it's well designed. That's why I no longer reject it on 
my newly set up mail server. I just want them all to be saved in the 
junk folder. I sometimes admire the creativity of spammers to attract 
attention to a ridiculous product :)

Re: Score 0.001

[jdow]

On 20240511 14:56:51, Greg Troxel wrote:

Thomas Barth  writes:


Am 2024-05-11 21:54, schrieb Bill Cole:

I have no idea who the Debian "spam analysts" are but I am certain
that they are not doing any sort of data-driven dynamic adjustments
of scores based on a threshold of 6.3 nor are they (obviously)
adjusting that threshold daily based on current scores.

I found the passage in my old Postfix book. The author writes: "It is
recommended not to carelessly set the value of $sa_kill_level_deflt to
any fantasy values. The score of 6.31 is not arbitrarily chosen, but
the statistically calculated optimum for the best possible spam filter
rate with as few false positives as possible. If you increase the
value, more spam will get through; if you lower it, your false
positives will increase."

The comments about adjustments are true, but the idea that it is optimum
is flat-out nonsensical.

The key question is how you weight a false positive compared to a false
negative.  Only after you decided that can you pick an optimium, for a
given corpus of already-received mail.


It may be that the value is outdated, but that is for the maintainers
of the relevant Debian package to decide. I'll just adapt my rules to
this one value.

That is an odd position.  It is very easy to set the threshold in a
local config.   Deciding instead to adjust scores to an oddball
threshold seems bizarre to me.

Personally, I don't use the 5, but instead have shades of grey, where

=1 is binned into mailboxes that are "maybe spam" through "very likely"

spam, and at some score, I reject at the MTA level.

I find that legit mail shows up in e.g. spam.2 (>= 2 and < 3), but it is
almost never mail that I would be upset to have missed (but I don't) or
mail that I would be upset to not get in a timely manner (I only see it
every day or so).  However, this really drops the FN rate of spam in my
INBOX, which matters a lot to me.Basically I consider a FP into my
"spam.1" mailbox, as long as it isn't really important to me, to be not
a big deal at all, and I'd rather have 10 or those than 1 FN in my
INBOX.  But, actually MTA-rejecting mail that I shouldn't, a FP at that
level, is a big deal, and I avoid it.  I think it's about one message a
year -- and while it's ham, it's very spammy ham.


Methinks this is a perfect example of "one man's spam is another man's ham." Or 
in my case, "A woman's spam is often a man's ham."


{^_-}   <- hopelessly square and antiquarian by today's standards. e.g. the 
XXXlist wars.

Re: Score 0.001

[Thomas Barth]

Am 2024-05-11 23:49, schrieb Vincent Lefevre:

The value 6.31 does not even appear in the spamassassin source
package.


Sorry, the values are overwritten via the Amavis defaults.

cat /etc/debian_version
10.13
egrep -nri "sa_tag_level_deflt|sa_kill_level_deflt" /etc
/etc/amavis/conf.d/20-debian_defaults:36:$sa_tag_level_deflt  = 2.0;  # 
add spam info headers if at, or above that level
/etc/amavis/conf.d/20-debian_defaults:38:$sa_kill_level_deflt = 6.31; # 
triggers spam evasive actions


cat /etc/debian_version
12.5
egrep -nri "sa_tag_level_deflt|sa_kill_level_deflt" /etc
/etc/amavis/conf.d/20-debian_defaults:36:$sa_tag_level_deflt  = 2.0;  # 
add spam info headers if at, or above that level
/etc/amavis/conf.d/20-debian_defaults:38:$sa_kill_level_deflt = 6.31; # 
triggers spam evasive actions

Re: Score 0.001

[Greg Troxel]

Thomas Barth  writes:

> Am 2024-05-11 21:54, schrieb Bill Cole:
>> I have no idea who the Debian "spam analysts" are but I am certain
>> that they are not doing any sort of data-driven dynamic adjustments
>> of scores based on a threshold of 6.3 nor are they (obviously)
>> adjusting that threshold daily based on current scores.
>
> I found the passage in my old Postfix book. The author writes: "It is
> recommended not to carelessly set the value of $sa_kill_level_deflt to
> any fantasy values. The score of 6.31 is not arbitrarily chosen, but
> the statistically calculated optimum for the best possible spam filter
> rate with as few false positives as possible. If you increase the
> value, more spam will get through; if you lower it, your false
> positives will increase."

The comments about adjustments are true, but the idea that it is optimum
is flat-out nonsensical.

The key question is how you weight a false positive compared to a false
negative.  Only after you decided that can you pick an optimium, for a
given corpus of already-received mail.

> It may be that the value is outdated, but that is for the maintainers
> of the relevant Debian package to decide. I'll just adapt my rules to
> this one value.

That is an odd position.  It is very easy to set the threshold in a
local config.   Deciding instead to adjust scores to an oddball
threshold seems bizarre to me.

Personally, I don't use the 5, but instead have shades of grey, where
>=1 is binned into mailboxes that are "maybe spam" through "very likely"
spam, and at some score, I reject at the MTA level.

I find that legit mail shows up in e.g. spam.2 (>= 2 and < 3), but it is
almost never mail that I would be upset to have missed (but I don't) or
mail that I would be upset to not get in a timely manner (I only see it
every day or so).  However, this really drops the FN rate of spam in my
INBOX, which matters a lot to me.Basically I consider a FP into my
"spam.1" mailbox, as long as it isn't really important to me, to be not
a big deal at all, and I'd rather have 10 or those than 1 FN in my
INBOX.  But, actually MTA-rejecting mail that I shouldn't, a FP at that
level, is a big deal, and I avoid it.  I think it's about one message a
year -- and while it's ham, it's very spammy ham.

Re: Score 0.001

[Vincent Lefevre]

On 2024-05-11 20:26:59 +0200, Thomas Barth wrote:
> Am 2024-05-11 19:24, schrieb Loren Wilton:
[...]
> > > found in
> > > 
> > > X-Spam-Status: No, score=5.908 tagged_above=2 required=6.31
> > > tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
> > > DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FSL_BULK_SIG=0.001,
> > > HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=2.43,
> > > RAZOR2_CHECK=1.729,
> > > SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_ABUSE_SURBL=1.948]
> > 
> > Why is your score threshold for spam 6.31? By default it is 5, and that
> > message would have been spam.
> 
> 6.31 has been the default value on a Debian system for ages and is based on
> the experience of the “spam analysts”.

No, Debian has not changed the default, which is 5.0, as I can see
for your message (here, on a Debian/stable machine):

X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on joooj.vinc17.net
X-Spam-Status: No, score=-17.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H4,
RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,USER_IN_DEF_SPF_WL
autolearn=ham autolearn_force=no version=4.0.0

The value 6.31 does not even appear in the spamassassin source
package.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: Score 0.001

[Thomas Barth]

Am 2024-05-11 21:54, schrieb Bill Cole:
I have no idea who the Debian "spam analysts" are but I am certain that 
they are not doing any sort of data-driven dynamic adjustments of 
scores based on a threshold of 6.3 nor are they (obviously) adjusting 
that threshold daily based on current scores.


I found the passage in my old Postfix book. The author writes: "It is 
recommended not to carelessly set the value of $sa_kill_level_deflt to 
any fantasy values. The score of 6.31 is not arbitrarily chosen, but the 
statistically calculated optimum for the best possible spam filter rate 
with as few false positives as possible. If you increase the value, more 
spam will get through; if you lower it, your false positives will 
increase."
It may be that the value is outdated, but that is for the maintainers of 
the relevant Debian package to decide. I'll just adapt my rules to this 
one value.

Re: Score 0.001

[Bill Cole]

On 2024-05-11 at 14:26:59 UTC-0400 (Sat, 11 May 2024 20:26:59 +0200)
Thomas Barth 
is rumored to have said:


Hello

Am 2024-05-11 19:24, schrieb Loren Wilton:

Can I just take the names of the rules?

e.g. at least two checks should fire:

meta MULTIPLE_TESTS (( RAZOR2_CF_RANGE_51_100 + RAZOR2_CHECK + 
URIBL_ABUSE_SURBL) > 1)

score MULTIPLE_TESTS 1

found in

X-Spam-Status: No, score=5.908 tagged_above=2 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FSL_BULK_SIG=0.001,
HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=2.43, 
RAZOR2_CHECK=1.729,

SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_ABUSE_SURBL=1.948]


Why is your score threshold for spam 6.31? By default it is 5, and 
that message would have been spam.


6.31 has been the default value on a Debian system for ages and is 
based on the experience of the “spam analysts”. That's how I 
remember it. I have therefore retained this value. Who introduced the 
default value of 5? Spamassassin itself, because spam is getting 
better and better and fewer rules apply?


5.0 has been the default threshold in the distribution forever and that 
value is an assumption in the dynamic scoring and RuleQA service which 
adjusts scores to their optimal values daily based on the latest results 
submitted by masscheck contributors.


I have no idea who the Debian "spam analysts" are but I am certain that 
they are not doing any sort of data-driven dynamic adjustments of scores 
based on a threshold of 6.3 nor are they (obviously) adjusting that 
threshold daily based on current scores. The only reason I can see for 
boosting the threshold is if there is an additional set of rules being 
used with a significant number of the non-standard low-S/O rules. For 
example, if you use KAM rules (which are not part of the RuleQA process) 
you will have a lot of rule hits on legit mail and you can either boost 
the threshold or do a lot of local-specific FP mitigation.


On systems I manage I mostly use a *lower* threshold, because I apply 
more active site-specific rule management (and FP avoidance) than most 
systems ever receive.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com 
addresses)

Not Currently Available For Hire

Re: Score 0.001

[Thomas Barth]

Hello

Am 2024-05-11 19:24, schrieb Loren Wilton:

Can I just take the names of the rules?

e.g. at least two checks should fire:

meta MULTIPLE_TESTS (( RAZOR2_CF_RANGE_51_100 + RAZOR2_CHECK + 
URIBL_ABUSE_SURBL) > 1)

score MULTIPLE_TESTS 1

found in

X-Spam-Status: No, score=5.908 tagged_above=2 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FSL_BULK_SIG=0.001,
HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=2.43, 
RAZOR2_CHECK=1.729,

SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_ABUSE_SURBL=1.948]


Why is your score threshold for spam 6.31? By default it is 5, and that 
message would have been spam.


6.31 has been the default value on a Debian system for ages and is based 
on the experience of the “spam analysts”. That's how I remember it. I 
have therefore retained this value. Who introduced the default value of 
5? Spamassassin itself, because spam is getting better and better and 
fewer rules apply?




The meta you suggest would have fired and added a point, but only 
because the combined score for the rules it mentions added up to > 1.0. 
Since every single one has a score > 1.0, the rule would have fired if 
any single one or any combination of those rules fired. Is that what 
you intended? It would not have fired if you had picked SPF_HELO_NONE, 
SPF_PASS, and FSL_BULK_SIG, as that only adds up to 0.003.


Most commonly a meta for "multiple rules fired" would have used the && 
operator, for instance:


meta MY_MANY_RULESSPF_HELO_NONE && SPF_PASS && FSL_BULK_SIG
describe   MY_MANY_RULESSeveral random rules hit
scoreMY_MANY_RULES1


Your metarule says: all three subrules must match. My rule says, that at 
least 2 subrules must match. Here it can be A+B+C, A+B, A+C, B+C. In my 
rule the matches (trues) are counted. I have taken this rule from the 
wiki. Please look here at meta rules 
https://cwiki.apache.org/confluence/display/SPAMASSASSIN/writingrules

Re: Score 0.001

[Loren Wilton]

Can I just take the names of the rules?

e.g. at least two checks should fire:

meta MULTIPLE_TESTS (( RAZOR2_CF_RANGE_51_100 + RAZOR2_CHECK + 
URIBL_ABUSE_SURBL) > 1)

score MULTIPLE_TESTS 1

found in

X-Spam-Status: No, score=5.908 tagged_above=2 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FSL_BULK_SIG=0.001,
HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=2.43, RAZOR2_CHECK=1.729,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_ABUSE_SURBL=1.948]


Why is your score threshold for spam 6.31? By default it is 5, and that 
message would have been spam.


The meta you suggest would have fired and added a point, but only because 
the combined score for the rules it mentions added up to > 1.0. Since every 
single one has a score > 1.0, the rule would have fired if any single one or 
any combination of those rules fired. Is that what you intended? It would 
not have fired if you had picked SPF_HELO_NONE, SPF_PASS, and FSL_BULK_SIG, 
as that only adds up to 0.003.


Most commonly a meta for "multiple rules fired" would have used the && 
operator, for instance:


meta MY_MANY_RULESSPF_HELO_NONE && SPF_PASS && FSL_BULK_SIG
describe   MY_MANY_RULESSeveral random rules hit
scoreMY_MANY_RULES1

Re: Score 0.001

[Thomas Barth]

Hi guys,

thank you all for your advice!

Am 2024-05-10 22:39, schrieb Bowie Bailey:
The rules with the low scores are not intended to contribute to the 
spam score for the email.  They only have a defined score at all 
because if the score is 0, SA will not run the rule.


It works like this:

Rule A has a score of 0.001
Rule B has a score of 0.001
Rule C is a meta that matches if both A and B match, and has a score of 
5


It doesn't matter how small the scores are for rule A and B.  The only 
thing that matters is the score for rule C.  If only A matches, then it 
adds 0.001 to the score and the email is not spam.  If only B matches, 
then you get the same result.  But if they both match, then you get a 
score of 5.002.  The entire point of the 0.001 score is that you could 
match 100 of these rules and not affect the spam score.


These rules are generally things like, "the email has HTML", "there is 
an SPF check", "there is a google drive link", etc.  On their own, they 
do not mean anything, but metas can combine these low-scored rules into 
meaningful patterns that are then given larger scores.



Can I just take the names of the rules?

e.g. at least two checks should fire:

meta MULTIPLE_TESTS (( RAZOR2_CF_RANGE_51_100 + RAZOR2_CHECK + 
URIBL_ABUSE_SURBL) > 1)

score MULTIPLE_TESTS 1

found in

X-Spam-Status: No, score=5.908 tagged_above=2 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FSL_BULK_SIG=0.001,
HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=2.43, RAZOR2_CHECK=1.729,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_ABUSE_SURBL=1.948]

Re: Score 0.001

[Bowie Bailey]

On 5/10/2024 2:57 AM, Thomas Barth wrote:

Am 2024-05-10 06:19, schrieb Reindl Harald (privat):

Am 10.05.24 um 00:05 schrieb Thomas Barth:

Am 2024-05-09 21:41, schrieb Loren Wilton:
Low-score tests are neither spam nor ham signs by themselves. They 
can be used in metas in conjunction with other indicators to help 
determine ham or spam. A zero value indicates that a rule didn't 
hit and the sign is not present. A small score indicates that the 
rule did hit, so the sign it is detecting is present.


0.001 seems to be the default lowest value. Is it possible to change 
it to 0.01 or 0.1?


what do you not understand in meta tests?
it's irrelevant if it's 0.001 or 0.01

these rules are used in combination with other rules

HTML_MESSAGE or SPF_HELO_NONE alone don't mean anything and so it 
must not score higher - it makes only sense combined with other rules


Most of the messages I receive only have a few hits because they 
hardly differ from a regular e-mail. That's why I want to assign a 
higher value to the individual tests. I don't know how many of the 
possible tests with a value of only 0.001 exist. With this value, 
theoretically 1000 different tests would have to be positive in order 
to achieve a total value of 1. Therefore, it is not irrelevant whether 
I have a minimum value of 0.001 or 0.1. I would even go further and 
say if there are more than 10 tests with a positive value: Spam! 
Either the strike level is reached or there are more than 10 tests 
with a positive value. So now I repeat my question: is it possible to 
increase the minimum value to 0.1 by default?


Going through this thread, I note that a few people have said "they are 
used in metas", but no one has actually given an example of how that works.


The rules with the low scores are not intended to contribute to the spam 
score for the email.  They only have a defined score at all because if 
the score is 0, SA will not run the rule.


It works like this:

Rule A has a score of 0.001
Rule B has a score of 0.001
Rule C is a meta that matches if both A and B match, and has a score of 5

It doesn't matter how small the scores are for rule A and B.  The only 
thing that matters is the score for rule C.  If only A matches, then it 
adds 0.001 to the score and the email is not spam.  If only B matches, 
then you get the same result.  But if they both match, then you get a 
score of 5.002.  The entire point of the 0.001 score is that you could 
match 100 of these rules and not affect the spam score.


These rules are generally things like, "the email has HTML", "there is 
an SPF check", "there is a google drive link", etc.  On their own, they 
do not mean anything, but metas can combine these low-scored rules into 
meaningful patterns that are then given larger scores.


--
Bowie

Re: Score 0.001

[Bill Cole]

On 2024-05-10 at 14:15:56 UTC-0400 (Fri, 10 May 2024 14:15:56 -0400)
Bill Cole 
is rumored to have said:

> On 2024-05-09 at 18:19:14 UTC-0400 (Thu, 9 May 2024 15:19:14 -0700)
> jdow 
> is rumored to have said:
>
>> On 20240509 15:05:46, Thomas Barth wrote:
>>> Am 2024-05-09 21:41, schrieb Loren Wilton:
 Low-score tests are neither spam nor ham signs by themselves. They can be 
 used in metas in conjunction with other indicators to help determine ham 
 or spam. A zero value indicates that a rule didn't hit and the sign is not 
 present. A small score indicates that the rule did hit, so the sign it is 
 detecting is present.
>>>
>>> 0.001 seems to be the default lowest value. Is it possible to change it to 
>>> 0.01 or 0.1?
>
> Sure. It's just a number.

Clarifying; You can change any score yourself on your own system locally if you 
like, but to make no rule ever score 0.001 you'd need to fix the scores for all 
low-score rules every time that you run sa-update. As John Hardin says, we will 
not be changing the default to 0.1 in the rules distribution; that would be too 
significant a value. I also think that there is value in having matched rules 
showing up in the long form (folded header) of the SA report with "0.0" if they 
are intended to have no direct impact on the ham/spam decision.


-- 
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Score 0.001

[Bill Cole]

On 2024-05-10 at 11:00:45 UTC-0400 (Fri, 10 May 2024 08:00:45 -0700 (PDT))
John Hardin 
is rumored to have said:

> Note that poorly-performing rules may get a score that looks informational, 
> but that may change over time based on the corpora.

IOW: rules that in themselves are not good enough performers to get included in 
the daily active list will still be pulled into the active list with a trivial 
score if derivative meta rules which are good enough for real scores depend on 
them.

-- 
Bill Cole

Re: Score 0.001

[Bill Cole]

On 2024-05-09 at 18:19:14 UTC-0400 (Thu, 9 May 2024 15:19:14 -0700)
jdow 
is rumored to have said:

> On 20240509 15:05:46, Thomas Barth wrote:
>> Am 2024-05-09 21:41, schrieb Loren Wilton:
>>> Low-score tests are neither spam nor ham signs by themselves. They can be 
>>> used in metas in conjunction with other indicators to help determine ham or 
>>> spam. A zero value indicates that a rule didn't hit and the sign is not 
>>> present. A small score indicates that the rule did hit, so the sign it is 
>>> detecting is present.
>>
>> 0.001 seems to be the default lowest value. Is it possible to change it to 
>> 0.01 or 0.1?

Sure. It's just a number.

> 1) This cyberunit is unwarrantedly curious, why does this matter to you?
>
> 2) Probably not as  it may be related to how perl handles numbers.

Not so much. SA has no need for high-precision floating-point math so there is 
nothing special about 0.001 or 0.0001 or any other small number.

The reason for such low scores is to assure that the rule is checked, even if 
no other rule depends on it. Such rules usually are a component in multiple 
other meta rules that have more significant scores, but are not significantly 
spam or ham signs on their own.

-- 
Bill Cole

Re: Score 0.001

[John Hardin]

On Fri, 10 May 2024, Thomas Barth wrote:

So now I repeat my question: is it possible to increase the minimum 
value to 0.1 by default?


Not really.

The score for a rule is either a fixed value assigned by the rule 
developer or a dynamic value calculated by masscheck nightly. There isn't 
a "macro" for informational scores that would affect them all at once; 
each informational rule would have to be updated individually.


And they are considered *informational* - they should not by themselves 
contribute to the ham/spam score, so a request to globally change the 
informational score from 0.0001 or 0.001 to 0.1 would not be approved.


For example, there is a rule that matches large monetary quantities in 
multiple formats and languages. That rule is used in combination with 
other rules to look for spam signs. It's scored as informational simply to 
expose the fact that the message has content like that, but by itself it 
doesn't indicate hammy or spammy content - the message could be a 419 
spam, or it could be a news article about the deficit.


Note that poorly-performing rules may get a score that looks 
informational, but that may change over time based on the corpora.



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You do not examine legislation in the light of the benefits it
  will convey if properly administered, but in the light of the
  wrongs it would do and the harms it would cause if improperly
  administered.  -- Lyndon B. Johnson
---
 4 days until the 76th anniversary of Israel's independence

Re: Score 0.001

[jdow]

On 20240509 23:57:12, Thomas Barth wrote:

Am 2024-05-10 06:19, schrieb Reindl Harald (privat):

Am 10.05.24 um 00:05 schrieb Thomas Barth:

Am 2024-05-09 21:41, schrieb Loren Wilton:
Low-score tests are neither spam nor ham signs by themselves. They can be 
used in metas in conjunction with other indicators to help determine ham or 
spam. A zero value indicates that a rule didn't hit and the sign is not 
present. A small score indicates that the rule did hit, so the sign it is 
detecting is present.


0.001 seems to be the default lowest value. Is it possible to change it to 
0.01 or 0.1?


what do you not understand in meta tests?
it's irrelevant if it's 0.001 or 0.01

these rules are used in combination with other rules

HTML_MESSAGE or SPF_HELO_NONE alone don't mean anything and so it must not 
score higher - it makes only sense combined with other rules


Most of the messages I receive only have a few hits because they hardly differ 
from a regular e-mail. That's why I want to assign a higher value to the 
individual tests. I don't know how many of the possible tests with a value of 
only 0.001 exist. With this value, theoretically 1000 different tests would 
have to be positive in order to achieve a total value of 1. Therefore, it is 
not irrelevant whether I have a minimum value of 0.001 or 0.1. I would even go 
further and say if there are more than 10 tests with a positive value: Spam! 
Either the strike level is reached or there are more than 10 tests with a 
positive value. So now I repeat my question: is it possible to increase the 
minimum value to 0.1 by default?


Values like .001 are generally used for meta rules. I use meta rules chiefly to 
combine multiple relatively benign tests into something significant when they 
all appear at once. (Or variations on that theme.) The tiny minimum score 
assures the rule gets processed and reported but has minimalist contributions to 
the overall score. If you want a minimum score of 0.004, 0.01, 100, whatever 
then use a "score" line associated with your rule. That saves you from the 
fruits of being too lazy to give a real score to a rule that is important to get 
just right.


{o.o}

Re: Score 0.001

[Matus UHLAR - fantomas]

On 09.05.24 20:41, Thomas Barth wrote:
I don't understand why there are so many checks where the meaningless 
value of 0.001 is assigned.


Those rules may be tested in the present.
They also may be informative, e.g. DMARC_MISSING or SPF_PASS
rules with score 0 are not used so using 0 is not possible in these cases.

Those rules may have different scores with diffent rulesets 
(bayes/non-bayes, network/non-netwotk)

And they can be used in metas, e.g:

score HTML_MESSAGE 0.001
meta OBFUSCATING_COMMENT   ((__OBFUSCATING_COMMENT_A && HTML_MESSAGE) || 
(__OBFUSCATING_COMMENT_B && MIME_HTML_ONLY)) && !__ISO_2022_JP_DELIM
score OBFUSCATING_COMMENT 0.000 0.000 0.001 0.723

The total score could be much higher. Do I 
have to define all the checks myself with a desired value?


you can redefine values if you think, but you should be careful about it.


X-Spam-Status: No, score=3.999 tagged_above=2 required=6.31
   tests=[DMARC_MISSING=0.001, FSL_BULK_SIG=0.001, 
HTML_IMAGE_RATIO_02=0.001,

   HTML_MESSAGE=0.001, PYZOR_CHECK=1.985, RELAYCOUNTRY_BAD=2,
   SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_TVD_MIME_EPI=0.01]

or

X-Spam-Status: Yes, score=7.281 tagged_above=2 required=6.31
   tests=[DMARC_MISSING=0.001, FSL_BULK_SIG=0.001, 
HTML_FONT_LOW_CONTRAST=0.001,
   HTML_IMAGE_ONLY_24=1.282, HTML_IMAGE_RATIO_02=0.001, 
HTML_MESSAGE=0.001,

   MIXED_HREF_CASE=1.999, PYZOR_CHECK=1.985, RELAYCOUNTRY_BAD=2,
   SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_TVD_MIME_EPI=0.01]



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

Re: Score 0.001

[Thomas Barth]

Am 2024-05-10 06:19, schrieb Reindl Harald (privat):

Am 10.05.24 um 00:05 schrieb Thomas Barth:

Am 2024-05-09 21:41, schrieb Loren Wilton:
Low-score tests are neither spam nor ham signs by themselves. They 
can be used in metas in conjunction with other indicators to help 
determine ham or spam. A zero value indicates that a rule didn't hit 
and the sign is not present. A small score indicates that the rule 
did hit, so the sign it is detecting is present.


0.001 seems to be the default lowest value. Is it possible to change 
it to 0.01 or 0.1?


what do you not understand in meta tests?
it's irrelevant if it's 0.001 or 0.01

these rules are used in combination with other rules

HTML_MESSAGE or SPF_HELO_NONE alone don't mean anything and so it must 
not score higher - it makes only sense combined with other rules


Most of the messages I receive only have a few hits because they hardly 
differ from a regular e-mail. That's why I want to assign a higher value 
to the individual tests. I don't know how many of the possible tests 
with a value of only 0.001 exist. With this value, theoretically 1000 
different tests would have to be positive in order to achieve a total 
value of 1. Therefore, it is not irrelevant whether I have a minimum 
value of 0.001 or 0.1. I would even go further and say if there are more 
than 10 tests with a positive value: Spam! Either the strike level is 
reached or there are more than 10 tests with a positive value. So now I 
repeat my question: is it possible to increase the minimum value to 0.1 
by default?

Re: Score 0.001

[jdow]

On 20240509 15:05:46, Thomas Barth wrote:

Am 2024-05-09 21:41, schrieb Loren Wilton:
Low-score tests are neither spam nor ham signs by themselves. They can be 
used in metas in conjunction with other indicators to help determine ham or 
spam. A zero value indicates that a rule didn't hit and the sign is not 
present. A small score indicates that the rule did hit, so the sign it is 
detecting is present.


0.001 seems to be the default lowest value. Is it possible to change it to 
0.01 or 0.1?



1) This cyberunit is unwarrantedly curious, why does this matter to you?

2) Probably not as  it may be related to how perl handles numbers.

{^_^}

Re: Score 0.001

[Thomas Barth]

Am 2024-05-09 21:41, schrieb Loren Wilton:
Low-score tests are neither spam nor ham signs by themselves. They can 
be used in metas in conjunction with other indicators to help determine 
ham or spam. A zero value indicates that a rule didn't hit and the sign 
is not present. A small score indicates that the rule did hit, so the 
sign it is detecting is present.


0.001 seems to be the default lowest value. Is it possible to change it 
to 0.01 or 0.1?

Re: Score 0.001

[Loren Wilton]

Low-score tests are neither spam nor ham signs by themselves. They can be 
used in metas in conjunction with other indicators to help determine ham or 
spam. A zero value indicates that a rule didn't hit and the sign is not 
present. A small score indicates that the rule did hit, so the sign it is 
detecting is present. 

Re: Score for certain spam

[Kris Deugau]

Greg Troxel wrote:


Alan  writes:


It's sent to the bit bucket, not done in the MTA. In this case, each
account can set individual thresholds and has an individual set of
local rules, so that might be why. I'd prefer to 550 them as well,
although I suspect the majority of sources just don't care. Lately the
most insidious stuff has been coming from VPS providers with
insufficient vetting.


For actual spam, it doesn't matter if you /dev/null or 550 them.

My point -- to the list, not really so much to you since I realize you
have your own reasons --  was that there is a possibility of a legit
sender's message hitting the threshold, and for that message, it is much
better to 550 than /dev/null so they can figure it out.   It's only for
that very rare legit mail that it matters, in my view, but there it's
important.


*nod*  At least the sender knows something has gone wrong.

Unfortunately, the weakness in this is that the *recipient* then has to 
magically figure out that their mail provider has - for whatever reason 
- rejected an email that they probably wanted.  If you're lucky the 
sender has a clue, and will use this fancy device known as a 
"tel-e-phone" to (gasp! shock!) *talk to* the recipient to let them 
know, who can then complain to *their* mail provider about blocking mail 
that shouldn't have been blocked.


Often you're not that lucky.  I've wasted a fair bit of time going 
around in circles on this from the sender's side:


Us: "We don't *know* exactly why this was rejected, you'll have to 
contact the sender some other way and get them to check with their mail 
provider."


Sender: "But your server sent it back to me!  Fix it!"

Us: "We don't *know* exactly why this was rejected, you'll have to 
contact the sender some other way and get them to check with their mail 
provider."


Sender: "But your server sent it back to me!  Fix it!"

(repeat until the concept gets through - some cases I'm trying to 
repress memory of went more than five rounds of trying to find a new say 
to say the same thing over and over AND OVER.)


We naturally ask to take a look at the original message if possible and 
make some guesses as to what's getting up the recipient filter's nose... 
 but in the end they *are* just guesses, and sometimes even a mostly 
blank test email also gets rejected.


-kgd

Re: Score for certain spam

[Greg Troxel]

Alan  writes:

> It's sent to the bit bucket, not done in the MTA. In this case, each
> account can set individual thresholds and has an individual set of
> local rules, so that might be why. I'd prefer to 550 them as well,
> although I suspect the majority of sources just don't care. Lately the
> most insidious stuff has been coming from VPS providers with
> insufficient vetting.

For actual spam, it doesn't matter if you /dev/null or 550 them.

My point -- to the list, not really so much to you since I realize you
have your own reasons --  was that there is a possibility of a legit
sender's message hitting the threshold, and for that message, it is much
better to 550 than /dev/null so they can figure it out.   It's only for
that very rare legit mail that it matters, in my view, but there it's
important.


Thus, I have a setup to MTA-reject at 8 and everything that makes it
through that gets filed, in INBOX if low enough, and  in a spam folder
if not.



signature.asc
Description: PGP signature

Re: Score for certain spam

[Alan]

On 2021-08-17 18:53, Greg Troxel wrote:

Alan <> writes:


I manage email for a couple of hundred domains, so a fair bit of stuff
that arrives to my inbox are spam complaints (they're supposed to open
tickets or use the support mailbox but... users). I flag anything over
5.0 as spam, but it still comes to my inbox. Anything over 8.0 goes to
the bit bucket. Our support inbox deletes anything over 10.0. Stuff
that scores over 20 arrives on a regular basis but 10 seems to be a
decent threshold for "absolute crap".

When you talk about 8/10 and bitbucket/delete, are you accepting this
email at the MTA level and then sending it to /dev/null?  If so, I
wonder what your thoughts are on the wisdom of that vs rejecting at the
MTA level?  In my view MTA, rejection is much better because if there is
a legit sender they get a 550 back, rather than silent discard.


It's sent to the bit bucket, not done in the MTA. In this case, each 
account can set individual thresholds and has an individual set of local 
rules, so that might be why. I'd prefer to 550 them as well, although I 
suspect the majority of sources just don't care. Lately the most 
insidious stuff has been coming from VPS providers with insufficient 
vetting. Every few months I get something like this:


We are looking to get set up with a Dedicated Server or VPS today with 
a /24. It is to mail, but it's all compliant.

Can we get set up with you guys?
Invariably they're red flagged multiple times on ROSKO. I'm sure failing 
to take 2 minutes to do that check has done significant damage to 
website builders who figured they could make some easy money in hosting.


--
For SpamAsassin Users List

Re: Score for certain spam

[Benny Pedersen]

On 2021-08-17 18:03, David Bürgin wrote:

In your experience, what is a good ‘certain spam’ threshold? By that I
mean the score above which messages are virtually always spam, no false
positives.


basicly all above 5 is spam tagged with default spamassassin, it is so 
as long as spamassassin does only tags mails, eq spamassassin is not 
designed to ever reject any emails



The default threshold for spam is 5.0, which works well for me. Only
very rarely a ham message scores above that and lands in my Junk 
folder.
Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then 
reject
such messages at the SMTP layer, without having to worry about 
rejecting

legitimate messages.


in fuglu i use 15 as reject score, it can be done in spamas-milter 
aswell, but its not spamassassin fault, in many places of score in 
spamassassin its for negative spam -100, and for possitive spam +100, 
both can be changed scores on so it never reject fp


spammers knows defaults scores so thay hope recipients never change it, 
spammers want whitelist_from * but in mta stage local recipients is not 
evelobe senders, so whitelist in spamassassin is still safe to use where 
its needed, but remember dont if not needed


i begin to see to make rules scores safe it must not exists a single 
rule with score above 3, but there can be multiple rules to add more 
score, this is more safe to do then a single rule with 30+

Re: Score for certain spam

[Greg Troxel]

Alan  writes:

> I manage email for a couple of hundred domains, so a fair bit of stuff
> that arrives to my inbox are spam complaints (they're supposed to open
> tickets or use the support mailbox but... users). I flag anything over
> 5.0 as spam, but it still comes to my inbox. Anything over 8.0 goes to
> the bit bucket. Our support inbox deletes anything over 10.0. Stuff
> that scores over 20 arrives on a regular basis but 10 seems to be a
> decent threshold for "absolute crap".

WHen you talk about 8/10 and bitbucket/delete, are you accepting this
email at the MTA level and then sending it to /dev/null?  If so, I
wonder what your thoughts are on the wisdom of that vs rejecting at the
MTA level?  In my view MTA, rejection is much better because if there is
a legit sender they get a 550 back, rather than silent discard.


signature.asc
Description: PGP signature

Re: Score for certain spam

[Alan]

I manage email for a couple of hundred domains, so a fair bit of stuff 
that arrives to my inbox are spam complaints (they're supposed to open 
tickets or use the support mailbox but... users). I flag anything over 
5.0 as spam, but it still comes to my inbox. Anything over 8.0 goes to 
the bit bucket. Our support inbox deletes anything over 10.0. Stuff that 
scores over 20 arrives on a regular basis but 10 seems to be a decent 
threshold for "absolute crap".


I should also mention that we refuse to send anything that scores over 
5.0. This has proved useful both in limiting damage from unprotected 
contact forms and ... um ... "overzealous" customers.


On 2021-08-17 12:03, David Bürgin wrote:

In your experience, what is a good ‘certain spam’ threshold? By that I
mean the score above which messages are virtually always spam, no false
positives.

The default threshold for spam is 5.0, which works well for me. Only
very rarely a ham message scores above that and lands in my Junk folder.
Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject
such messages at the SMTP layer, without having to worry about rejecting
legitimate messages.

Thank you!


--
For SpamAsassin Users List

Re: Score for certain spam

[Greg Troxel]

David Bürgin  writes:

[all the other replies sound 100% sensible to me]

> In your experience, what is a good ‘certain spam’ threshold? By that I
> mean the score above which messages are virtually always spam, no false
> positives.

There is no certainty; there is only probability.   So you have to
decide what risk you want to put up with, and that's in my experience a
risk of accepted spam and a risk of rejected ham.

> The default threshold for spam is 5.0, which works well for me. Only
> very rarely a ham message scores above that and lands in my Junk folder.

I have set up TXREP, and added known senders to a welcomelist, plus some
private rules and score tweaks, SA base plus KAM.

I find that ham over 5 is extremely rare.

I am rejecting at the SMTP level at 8.   I have so far not received a
single complaint of legit mail being rejected.  8 is a bit more
aggressive than I would recommend in general.

Note that I take two unconventional views compared to standard SA
doctrine:

  mail is personal-ham, list-ham, or spam.  If a message from a
  mailinglist that is technically ham gets misfiled or even rejected,
  that's not a big deal.  Mail that is personally to me (really, that I
  care about) that gets rejected is a big deal.

  I really don't want any spam in my INBOX, because it appears on my
  phone, and thus I sort mail into "ham", "maybe spam", "spam" and
  "definitely spam", basically sorting <1 point into inbox, 1-5 into
  spam.N folders, with 5+ into pam.5, combined with MTA-level rejection
  at 8.  This means that every day several messages are sorted into
  spam.1 and spam.2 that are technically ham, and I just refile them
  when at a computer.  The benefit to this is that only a handful of
  spam messages land in my inbox every week.

I often add welcomelist or rule tweaks for list senders who score 1-5.
Usually the messages are icky somehow, from an MTA on a BL,
misformatted, etc.  Almost always I wouldn't really care if I had missed
them.   Real people, real transactional notifications, I add exceptions
for.

This is higher effort, but it serves my dual purposes of not missing ham
and protecting my phone INBOX from spam.  But it also gives me insight
into score distribution.  1-2 point ham is pretty normal, and arguably
that folder is 75% ham.  The 4-5 folder is about 98% spam.

> Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject
> such messages at the SMTP layer, without having to worry about rejecting
> legitimate messages.

My view is that very occasional rejecting of legit mail is much better
than having it buried in a spam folder.   I would be very surprised if
rejecting >= 10 caused you real trouble.   You just said that you almost
never have ham get scored over 5.  So 10 seems like a reasonable step.



signature.asc
Description: PGP signature

Re: Score for certain spam

[Matus UHLAR - fantomas]

On 17.08.21 18:03, David Bürgin wrote:

In your experience, what is a good ‘certain spam’ threshold? By that I
mean the score above which messages are virtually always spam, no false
positives.

The default threshold for spam is 5.0, which works well for me. Only
very rarely a ham message scores above that and lands in my Junk folder.
Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject
such messages at the SMTP layer, without having to worry about rejecting
legitimate messages.


on my personal server I have pushed the score to 3.5 and reject anything
over 9. Note that I intensively train spams and FPs.

I maintain a few servers, default score is at 5 and reject over 8.
one server without proper training, score is left at amavis default and
reject on 10.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)

Re: Score for certain spam

[Kevin A. McGrail]

Hi David,

If your default is in the 5 to 6 range for scoring, we have found that 
11.0 has virtually no FPs and 15.0 has not had any FPs at our firm in years.


Regards,

KAM

On 8/17/2021 12:03 PM, David Bürgin wrote:

In your experience, what is a good ‘certain spam’ threshold? By that I
mean the score above which messages are virtually always spam, no false
positives.

The default threshold for spam is 5.0, which works well for me. Only
very rarely a ham message scores above that and lands in my Junk folder.
Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject
such messages at the SMTP layer, without having to worry about rejecting
legitimate messages.

Thank you!


--
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

Re: Score for certain spam

[Martin Gregorie]

On Tue, 2021-08-17 at 18:03 +0200, David Bürgin wrote:
> In your experience, what is a good ‘certain spam’ threshold? By that I
> mean the score above which messages are virtually always spam, no
> false positives.
> 
I pushed it one notch, to 6.0, but:
 
(a) I've accumulated a fair collection of private rules which are
specific to my mail stream

(b) I have a private mail archive, stored in a PostgreSQL database,
and an SA plugin which whitelists any sender who is recorded in my
archive as somebody that I've previously sent mail to.

(c) Spam is quarantined as it arrives.
Ham is delivered via Postfix + Dovecot and also queued for archiving

(d) spam gets quarantined for 7 days before being discarded

(e) An overnight cronjob loads ham thats queued for archiving into the
mail archive. It also expires & deletes week-old quarentined spam,
and I added a report to logwatch that lists new spam, so I know its
arrived and can be retrieved from quarentine if I decide I should
see it.

I've listed these steps and associated conditions in case any are useful
to you. This has all been up and running since 2007, so its tolerably
well tested.


Martin

Re: SCORE: FSL_BULK_SIG

[Matus UHLAR - fantomas]

On 14.06.21 18:11, Henry Castro wrote:

I'm not sure if normal but FSL_BULK_SIG scoring have fluctuated a lot lately.

describe FSL_BULK_SIG  Bulk signature with no Unsubscribe

Is this rule still valid?


I've had this problems with internal mail. Fixed by adding local rules.

Unfortunately, much of mail seems to hit DCC_CHECK even they don't look
bulky.  1.1 points for DCC_CHECK is fine here but FSL_BULK_SIG and other
hits pushed mail over required_score.

maybe replacing (DCC_CHECK || RAZOR2_CHECK || PYZOR_CHECK) with DIGEST_MULTIPLE
would be more safe

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watkins.  -- Daffy Duck & Porky Pig

Re: score sender domains with 4+ chars in TLD?

[RW]

On Sat, 13 Jun 2020 18:44:46 +0100
Martin Gregorie wrote:


> > FWIW I've added 6 TLDs and 2 exceptions in the past 5 years.
> >  
> I did wonder how many 4+ character TLDs there are - Can't remember
> when I last saw one, 

As I said I have a list of TLDs that have been seen in my ham and
penalize the others a bit (without regard to length). As I don't put
mailing lists through SA the list is quite short. 

Re: score sender domains with 4+ chars in TLD?

[Martin Gregorie]

On Sat, 2020-06-13 at 15:25 +0100, RW wrote:
> On Sat, 13 Jun 2020 03:10:52 +0100
> Martin Gregorie wrote:
> 
> > You can easily update the rbldnsd zone data (just write/update the
> > > data file, no need to restart spamd) and could create a custom
> > > scoring value based on the DNS data (EG 127.0.0.2 for really
> > > 'good'
> > > TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8 
> > > for truely spammy names).
> > The advantage of this approach is that if you use a less-than-basic
> > database, i.e. one that allows multiple simultaneous connections,
> > rather than a single connection DBMS like sqlite, you can share it
> > between several SA instances aand use anything from an interactive
> > SQL tool to a mobile app to maintain the blacklist. And there's no
> > need stop anything to update the database content.
> 
> FWIW I've added 6 TLDs and 2 exceptions in the past 5 years.
>
I did wonder how many 4+ character TLDs there are - Can't remember when
I last saw one, but my main point was that the sort of setup I described
is easy and pretty quick to set up if you know a bit of Perl and -
equally important - is very easy to replicate for a different spam type
once you've got one running. Its also a lot less of a kludge than the
'portmanteau rules' I use, with maintenance being simple in both cases.

Martin

Re: score sender domains with 4+ chars in TLD?

[RW]

On Sat, 13 Jun 2020 03:10:52 +0100
Martin Gregorie wrote:

> You can easily update the rbldnsd zone data (just write/update the
> > data file, no need to restart spamd) and could create a custom
> > scoring value based on the DNS data (EG 127.0.0.2 for really 'good'
> > TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8 
> > for truely spammy names).

> The advantage of this approach is that if you use a less-than-basic
> database, i.e. one that allows multiple simultaneous connections,
> rather than a single connection DBMS like sqlite, you can share it
> between several SA instances aand use anything from an interactive
> SQL tool to a mobile app to maintain the blacklist. And there's no
> need stop anything to update the database content.

FWIW I've added 6 TLDs and 2 exceptions in the past 5 years.

Re: score sender domains with 4+ chars in TLD?

[Martin Gregorie]

You can easily update the rbldnsd zone data (just write/update the
> data file, no need to restart spamd) and could create a custom scoring
> value based on the DNS data (EG 127.0.0.2 for really 'good' TLDs,
> 127.0.0.4 for 'so-so' and 127.0.0.8 
> for truely spammy names).
> 
A blocklist system that would be a little harder to write, but MUCH
easier to maintain, would be to put the list in a lightweight database,
e.g. MariaDB, and use a Perl plugin module to interface it to SA. The
easy way to do this is to find a similar Perl plugin and hack it to suit
- thats not hard to do.

The database is dead simple: one table containing one column to hold
unwanted domains/addresses declared as the prime key to index it.
Something like:

create table blacklist
{
   domain  varchar(80) primary key;
};   

The advantage of this approach is that if you use a less-than-basic
database, i.e. one that allows multiple simultaneous connections, rather
than a single connection DBMS like sqlite, you can share it between
several SA instances aand use anything from an interactive SQL tool to a
mobile app to maintain the blacklist. And there's no need stop anything
to update the database content.

Martin



> 
> 
> 
> -- 
> Dave Funk   University of Iowa
>  College of Engineering
> 319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S
> Capitol St.
> Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
> #include 
> Better is not better, 'standard' is better. B{

Re: score sender domains with 4+ chars in TLD?

[Benny Pedersen]

On 2020-06-13 03:02, Dave Funk wrote:


This sounds like a perfect application for a custom DNS-bl lookup/list.

Create a local custom rbldnsd server "dnset" zone from a data file
with your blessed TLDs, then a rule doing a rbl check using the
hostname from the From address with custom scoring.

You can easily update the rbldnsd zone data (just write/update the
data file, no need to restart spamd) and could create a custom scoring
value based on the DNS data (EG 127.0.0.2 for really 'good' TLDs,
127.0.0.4 for 'so-so' and 127.0.0.8 for truely spammy names).


https://www.isc.org/blogs/qname-minimization-and-privacy/

lets hope rbldnsd is soon to handle that

i have disabled this breaking dnsbl feature in bind9

Re: score sender domains with 4+ chars in TLD?

[Dave Funk]

On Sat, 13 Jun 2020, RW wrote:


On Fri, 12 Jun 2020 09:22:40 -0400
AJ Weber wrote:


I want to try adding a score for a sender whose address uses a TLD
with  > 3 chars.

I realize there are some legit ones, but I'm going to test it with a
low score and see what it catches.



What I did was grep my mail for TLDs seeen in ham and then create a
rule __NORMAL_TLD

I then score a point for:

__HAS_FROM  && ! __NORMAL_TLD


This probably wont scale well beyond a few users though.


If I were a bit more energetic I'd autogenerate the rule from cron.


This sounds like a perfect application for a custom DNS-bl lookup/list.

Create a local custom rbldnsd server "dnset" zone from a data file with your 
blessed TLDs, then a rule doing a rbl check using the hostname from the From 
address with custom scoring.


You can easily update the rbldnsd zone data (just write/update the data file, no 
need to restart spamd) and could create a custom scoring value based on the DNS 
data (EG 127.0.0.2 for really 'good' TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8 
for truely spammy names).





--
Dave Funk   University of Iowa
 College of Engineering
319/335-5751   FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include 
Better is not better, 'standard' is better. B{

Re: score sender domains with 4+ chars in TLD?

[RW]

On Fri, 12 Jun 2020 09:22:40 -0400
AJ Weber wrote:

> I want to try adding a score for a sender whose address uses a TLD
> with  > 3 chars.  
> 
> I realize there are some legit ones, but I'm going to test it with a
> low score and see what it catches.


What I did was grep my mail for TLDs seeen in ham and then create a
rule __NORMAL_TLD

I then score a point for:

__HAS_FROM  && ! __NORMAL_TLD


This probably wont scale well beyond a few users though.


If I were a bit more energetic I'd autogenerate the rule from cron.

Re: score sender domains with 4+ chars in TLD?

[AJ Weber]

Cool.  Thanks.


On 6/12/2020 11:04 AM, Kris Deugau wrote:

AJ Weber wrote:
I want to try adding a score for a sender whose address uses a TLD 
with  > 3 chars.


I realize there are some legit ones, but I'm going to test it with a 
low score and see what it catches.


Is it just something like:
header   From =~   /\.\w{4,}$/


You'll probably want to use the :addr specifier to match only on the 
actual address:


header LONG_TLD    From:addr /\.\w{4,}$/

Otherwise your rule won't match much mail at all unless the From: 
header consists of a completely bare email address.


-kgd

Re: score sender domains with 4+ chars in TLD?

[Kris Deugau]

AJ Weber wrote:
I want to try adding a score for a sender whose address uses a TLD with 
 > 3 chars.


I realize there are some legit ones, but I'm going to test it with a low 
score and see what it catches.


Is it just something like:
header   From =~   /\.\w{4,}$/


You'll probably want to use the :addr specifier to match only on the 
actual address:


header LONG_TLDFrom:addr /\.\w{4,}$/

Otherwise your rule won't match much mail at all unless the From: header 
consists of a completely bare email address.


-kgd

Re: Score in subject differs from score in headers

[David Galloway]

On 9/6/19 4:16 PM, Matus UHLAR - fantomas wrote:
 On 9/6/2019 11:45 AM, David Galloway wrote:
> I'm running SpamAssassin 3.4.2 on Ubuntu 16.04 with Postfix and
> Mailman3.
>
> Occasionally, SpamAssassin will rewrite a message's subject with a
> score
> higher than what's in X-Spam-Status.  This is not a rounding issue.
>
> For example, I'm looking at an e-mail now with "* SPAM 5.4
> *" in
> the subject but "X-Spam-Status: No, score=3.2 required=5.0"
>
> AFAIK, there is no instance of SpamAssassin between the mail server
> and
> me that
> could have added the score to the subject.
> 
> On 06.09.19 16:11, David Galloway wrote:
>> I'm not crazy!
> 
>> https://lists.ceph.io/hyperkitty/list/d...@ceph.io/thread/GN3DLKWDIW2NUDO4T4MZG6E5FQEIB7NN/
>>
>>
>> 7.3 in the subject (that my SpamAssassin instance definitely set) and:
>> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on lists.ceph.io
>> X-Spam-Level: *
>> X-Spam-Status: No, score=1.8 required=5.0
>> tests=FREEMAIL_REPLYTO_END_DIGIT,
>> MAILING_LIST_MULTI,RCVD_IN_RP_RNBL,RDNS_NONE,SPF_HELO_NONE,
>> SUBJ_OBFU_PUNCT_FEW,URIBL_BLOCKED autolearn=no autolearn_force=no
>> version=3.4.2
> 
> are you sure you don't process mail two times, when delivering to list and
> when delivering to end-users (you)?
> 

Oof, that is exactly what was happening.  Which leads me to figuring out
why my mailman header filter regex isn't working.

Anyway, thanks for the help!

Re: Score in subject differs from score in headers

[Matus UHLAR - fantomas]

On 9/6/2019 11:45 AM, David Galloway wrote:

I'm running SpamAssassin 3.4.2 on Ubuntu 16.04 with Postfix and Mailman3.

Occasionally, SpamAssassin will rewrite a message's subject with a score
higher than what's in X-Spam-Status.  This is not a rounding issue.

For example, I'm looking at an e-mail now with "* SPAM 5.4 *" in
the subject but "X-Spam-Status: No, score=3.2 required=5.0"

AFAIK, there is no instance of SpamAssassin between the mail server and
me that
could have added the score to the subject.


On 06.09.19 16:11, David Galloway wrote:

I'm not crazy!



https://lists.ceph.io/hyperkitty/list/d...@ceph.io/thread/GN3DLKWDIW2NUDO4T4MZG6E5FQEIB7NN/

7.3 in the subject (that my SpamAssassin instance definitely set) and:
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on lists.ceph.io
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=5.0 tests=FREEMAIL_REPLYTO_END_DIGIT,
MAILING_LIST_MULTI,RCVD_IN_RP_RNBL,RDNS_NONE,SPF_HELO_NONE,
SUBJ_OBFU_PUNCT_FEW,URIBL_BLOCKED autolearn=no autolearn_force=no
version=3.4.2


are you sure you don't process mail two times, when delivering to list and
when delivering to end-users (you)?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I wonder how much deeper the ocean would be without sponges.

Re: Score in subject differs from score in headers

[David Galloway]

On 9/6/19 12:06 PM, David Galloway wrote:
> 
> On 9/6/19 12:01 PM, Bowie Bailey wrote:
>> On 9/6/2019 11:45 AM, David Galloway wrote:
>>> Hi,
>>>
>>> I'm running SpamAssassin 3.4.2 on Ubuntu 16.04 with Postfix and Mailman3.
>>>
>>> Occasionally, SpamAssassin will rewrite a message's subject with a score
>>> higher than what's in X-Spam-Status.  This is not a rounding issue.
>>>
>>> For example, I'm looking at an e-mail now with "* SPAM 5.4 *" in
>>> the subject but "X-Spam-Status: No, score=3.2 required=5.0"
>>>
>>> AFAIK, there is no instance of SpamAssassin between the mail server and
>>> me that
>>> could have added the score to the subject.
>>
>> The instance of SpamAssassin that changed the subject would have been before 
>> it got
>> to your server.  Since your server does not mark the email as spam, it 
>> doesn't change
>> the subject, and so the previous markup is left there.  If your server had 
>> marked the
>> email as spam, then it would have either changed the number to be correct, 
>> or added a
>> second spam tag to the subject (depending on how smart SA's subject 
>> rewriting routine
>> is).
>>
> 
> I didn't start seeing the subjects being changed until after I enabled
> SpamAssassin on my mail server though.  I don't /think/ I'm crazy but as
> a litmus test, I just added my server's hostname to the rewrite_header
> Subject parameter and will wait for spam to come in.
> 

I'm not crazy!

https://lists.ceph.io/hyperkitty/list/d...@ceph.io/thread/GN3DLKWDIW2NUDO4T4MZG6E5FQEIB7NN/

7.3 in the subject (that my SpamAssassin instance definitely set) and:
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on lists.ceph.io
X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=5.0 tests=FREEMAIL_REPLYTO_END_DIGIT,
MAILING_LIST_MULTI,RCVD_IN_RP_RNBL,RDNS_NONE,SPF_HELO_NONE,
SUBJ_OBFU_PUNCT_FEW,URIBL_BLOCKED autolearn=no autolearn_force=no
version=3.4.2

Re: Score in subject differs from score in headers

[@lbutlr]

On 6 Sep 2019, at 10:35, Riccardo Alfieri  wrote:
> On 06/09/19 17:45, David Galloway wrote:
> 
>> For example, I'm looking at an e-mail now with "* SPAM 5.4 *" in
>> the subject but "X-Spam-Status: No, score=3.2 required=5.0"
> 
> since when does SpamAssassin also writes the scores in the subject? It's a 
> cool feature that I probably missed completely 

Since forever? Nearly forever?

I used to use (Spam? _SCORE_) when I tagged subjects. I no longer do that. I do 
not recommend that anyone do that, it causes more trouble than it’s worth.

(I am pretty sure that is the syntax, it’s been a number of years).

As for your issue, I suspect you are double processing mail (been there, done 
that, have the t-shirt) and that one process is applying the higher score to 
the subject.



-- 
You've never heard of the Millennium Falcon?

Re: Score in subject differs from score in headers

[Riccardo Alfieri]

On 06/09/19 19:36, Bill Cole wrote:



Since pretty much forever, IF it is told to do so...

See the documentation of 'rewrite_header' in 'perldoc 
Mail::SpamAssassin::Conf'



Thanks for pointing that out, I never realized template tags could be 
used on the subject rewriting too.


I guess my fault was/is using SA with amavisd, that redefines subject 
rewriting in it's own way (maybe it could add scores in subject too out 
of the box? Don't know, better RTFM ;) )


--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/

Re: Score in subject differs from score in headers

[Bill Cole]

On 6 Sep 2019, at 12:35, Riccardo Alfieri wrote:


On 06/09/19 17:45, David Galloway wrote:

For example, I'm looking at an e-mail now with "* SPAM 5.4 *" 
in

the subject but "X-Spam-Status: No, score=3.2 required=5.0"


Hi,

since when does SpamAssassin also writes the scores in the subject?


Since pretty much forever, IF it is told to do so...

See the documentation of 'rewrite_header' in 'perldoc 
Mail::SpamAssassin::Conf'


The entire 'rewrite_header' feature is generally a bad idea but people 
like it so it has survived.



It's a cool feature that I probably missed completely :)


It's really not a cool feature. Breaking signatures is obnoxious.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Score in subject differs from score in headers

[Riccardo Alfieri]

On 06/09/19 17:45, David Galloway wrote:


For example, I'm looking at an e-mail now with "* SPAM 5.4 *" in
the subject but "X-Spam-Status: No, score=3.2 required=5.0"


Hi,

since when does SpamAssassin also writes the scores in the subject? It's 
a cool feature that I probably missed completely :)


--
Best regards,
Riccardo Alfieri

Spamhaus Technology
https://www.spamhaustech.com/

Re: Score in subject differs from score in headers

[David Galloway]

On 9/6/19 12:01 PM, Bowie Bailey wrote:
> On 9/6/2019 11:45 AM, David Galloway wrote:
>> Hi,
>>
>> I'm running SpamAssassin 3.4.2 on Ubuntu 16.04 with Postfix and Mailman3.
>>
>> Occasionally, SpamAssassin will rewrite a message's subject with a score
>> higher than what's in X-Spam-Status.  This is not a rounding issue.
>>
>> For example, I'm looking at an e-mail now with "* SPAM 5.4 *" in
>> the subject but "X-Spam-Status: No, score=3.2 required=5.0"
>>
>> AFAIK, there is no instance of SpamAssassin between the mail server and
>> me that
>> could have added the score to the subject.
> 
> The instance of SpamAssassin that changed the subject would have been before 
> it got
> to your server.  Since your server does not mark the email as spam, it 
> doesn't change
> the subject, and so the previous markup is left there.  If your server had 
> marked the
> email as spam, then it would have either changed the number to be correct, or 
> added a
> second spam tag to the subject (depending on how smart SA's subject rewriting 
> routine
> is).
> 

I didn't start seeing the subjects being changed until after I enabled
SpamAssassin on my mail server though.  I don't /think/ I'm crazy but as
a litmus test, I just added my server's hostname to the rewrite_header
Subject parameter and will wait for spam to come in.

Re: Score in subject differs from score in headers

[Bowie Bailey]

On 9/6/2019 11:45 AM, David Galloway wrote:
> Hi,
>
> I'm running SpamAssassin 3.4.2 on Ubuntu 16.04 with Postfix and Mailman3.
>
> Occasionally, SpamAssassin will rewrite a message's subject with a score
> higher than what's in X-Spam-Status.  This is not a rounding issue.
>
> For example, I'm looking at an e-mail now with "* SPAM 5.4 *" in
> the subject but "X-Spam-Status: No, score=3.2 required=5.0"
>
> AFAIK, there is no instance of SpamAssassin between the mail server and
> me that
> could have added the score to the subject.

The instance of SpamAssassin that changed the subject would have been before it 
got
to your server.  Since your server does not mark the email as spam, it doesn't 
change
the subject, and so the previous markup is left there.  If your server had 
marked the
email as spam, then it would have either changed the number to be correct, or 
added a
second spam tag to the subject (depending on how smart SA's subject rewriting 
routine
is).

-- 
Bowie

Re: Score in subject differs from score in headers

[Matus UHLAR - fantomas]

On 06.09.19 11:45, David Galloway wrote:

I'm running SpamAssassin 3.4.2 on Ubuntu 16.04 with Postfix and Mailman3.

Occasionally, SpamAssassin will rewrite a message's subject with a score
higher than what's in X-Spam-Status.  This is not a rounding issue.

For example, I'm looking at an e-mail now with "* SPAM 5.4 *" in
the subject but "X-Spam-Status: No, score=3.2 required=5.0"


it's always possible that subject was there before your SA kicked in.
btw. I recommend not changing subject in SA.


AFAIK, there is no instance of SpamAssassin between the mail server and
me that
could have added the score to the subject.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901

Re: Score from command line is different from the one in the webmail

[daniel_1983]

Thanks Mathus, I think this was the case. After running spamassassin -D as 
suggested in #spamassassin, DNS responses were mainly NXDOMAIN. I have put DNS 
related output in this gist : 

https://gist.githubusercontent.com/ychaouche/b412a7e5cb4c9501365c010734045eb9/raw/c3a69d7bf7dfdfe1d987489a15196488245d3b16/gistfile1.txt




​Sent with ProtonMail Secure Email.​

‐‐‐ Original Message ‐‐‐

On July 15, 2018 4:12 PM, Matus UHLAR - fantomas  wrote:

> On 15.07.18 07:41, daniel_1...@protonmail.com wrote:
> 
> > X-Spam-Status: No, score=2.621 tagged_above=-999 required=5
> > 
> > tests=[HTML_IMAGE_ONLY_08=1.781, HTML_IMAGE_RATIO_08=0.001,
> > 
> > HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_1=0.139,
> > 
> > MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLACK=1.7]
> > 
> > autolearn=no autolearn_force=no
> 
> > At the end of X-Spam-Status, you can see URIBL_BLACK=1.7
> 
> > But when I scan the mail from the command line I have a different score of 
> > only 0.9 and no URIBL_BLACK match :
> 
> it's quite common that some blacklist appear/disappear when checking the
> 
> same mail after some time.
> 
> > Why do I have different scores and how do I get same score on both 
> > configurations ?
> 
> you can't get the same score when the URI is not in blacklist anymore.
> 
> 
> --
> 
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> 
> Warning: I wish NOT to receive e-mail advertising to this address.
> 
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 
> Nothing is fool-proof to a talented fool.

Re: Score from command line is different from the one in the webmail

[Matus UHLAR - fantomas]

On 15.07.18 07:41, daniel_1...@protonmail.com wrote:

X-Spam-Status: No, score=2.621 tagged_above=-999 required=5
   tests=[HTML_IMAGE_ONLY_08=1.781, HTML_IMAGE_RATIO_08=0.001,
   HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_1=0.139,
   MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLACK=1.7]
   autolearn=no autolearn_force=no



At the end of X-Spam-Status, you can see URIBL_BLACK=1.7



But when I scan the mail from the command line I have a different score of only 
0.9 and no URIBL_BLACK match :


it's quite common that some blacklist appear/disappear when checking the
same mail after some time.


Why do I have different scores and how do I get same score on both 
configurations ?


you can't get the same score when the URI is not in blacklist anymore.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool. 

Re: Score from command line is different from the one in the webmail

[Benny Pedersen]

daniel_1...@protonmail.com skrev den 2018-07-15 15:59:


Postfix is run under postfix


+1


Amavis is run under user amavis


+1


I don't really know how spamassassin is run ?


only root can drop priveledges


maybe it's loaded as a
library from amavis itself ?


yes amavis loads perl modules of spamassaasin so spamassassin runs as 
amavis system user

Re: Score from command line is different from the one in the webmail

[daniel_1983]

On July 15, 2018 12:57 PM, Antony Stone 
 wrote:

> On Sunday 15 July 2018 at 13:41:34, daniel_1...@protonmail.com wrote:
> > I am running spamassassin through amavis as a content filter for postfix.
> 
> Which user/s do those processes run as?
> 

Postfix is run under postfix
Amavis is run under user amavis
I don't really know how spamassassin is run ? maybe it's loaded as a library 
from amavis itself ? 

root@messagerie[10.10.10.19] /etc/postfix # lsof -u amavis | grep spam
/usr/sbin  1428 amavis  memREG8,6   750728671620 
/var/lib/spamassassin/compiled/5.020/3.004000/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
/usr/sbin 25702 amavis  memREG8,6   750728671620 
/var/lib/spamassassin/compiled/5.020/3.004000/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
/usr/sbin 28419 amavis  memREG8,6   750728671620 
/var/lib/spamassassin/compiled/5.020/3.004000/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so
root@messagerie[10.10.10.19] /etc/postfix # 


Here's the score as user amavis (I had to create a copy of the file in /tmp/ 
and make it world readable, because the owner is vmail, the user under which 
dovecot runs) :

root@messagerie[10.10.10.19] /var/vmail/mydomain/a.chaouche/.Junk/cur # su 
amavis -c 'spamassassin -dt < /tmp/mailfrancoise'
[...]
Spam detection software, running on the system "messagerie-prep",
has NOT identified this incoming email as spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  It's incredibly confusing and drives me on simultaneously.
   Watch until I removed it from the access. Unsubscribe It's incredibly 
confusing
   and drives me on simultaneously. Watch until I removed it from the access.
   [...] 

Content analysis details:   (0.9 points, 5.0 required)

 pts rule name  description
 -- --
 0.0 HTML_IMAGE_RATIO_08BODY: HTML has a low ratio of text to image area
 0.0 HTML_MESSAGE   BODY: HTML included in message
 1.8 HTML_IMAGE_ONLY_08 BODY: HTML: images with 400-800 bytes of words
 0.1 HTML_SHORT_LINK_IMG_1  HTML is very short with a linked image
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list
manager

Re: Score from command line is different from the one in the webmail

[Antony Stone]

On Sunday 15 July 2018 at 13:41:34, daniel_1...@protonmail.com wrote:

> Dear list,
> 
> I am running spamassassin through amavis as a content filter for postfix.

Which user/s do those processes run as?

> But when I scan the mail from the command line I have a different score of
> only 0.9 and no URIBL_BLACK match :
> 
> root@messagerie

So, you test the message as root (which I seriously hope is not the user your 
MTA and SA are being run as during normal mail processing).

> Why do I have different scores and how do I get same score on both
> configurations ?

Try running the SA check as the correct user; if the scores and tests are 
still different, feel free to report back here.

Regards,


Antony.

-- 
What do you call a dinosaur with only one eye?  A Doyouthinkesaurus.

   Please reply to the list;
 please *don't* CC me.

Re: score senders without abuse RR

[Benny Pedersen]

Rupert Gallagher skrev den 2018-05-08 11:24:

While reading from RIPE below, I recollected numerous cases of spam
from domains without own abuse RR. I then remembered making a mental
note about writing a SA rule for it, and now realise I just forgot
about it.

Is anybody using one such rule already?

https://www.ripe.net/support/abuse


http://rfc-clueless.org

i dont know if its maintained or not

i miss rfc-ignorant, it was good when it worked

sendmail -bv postmaster@sender-domain

and parse later postfix mails about it

Re: score senders without abuse RR

[Rupert Gallagher]

Ok there is a deprecated rule, which did not do much, as it just queried a 
dnsbl.

https://wiki.apache.org/spamassassin/Rules/DNS_FROM_RFC_ABUSE

On Tue, May 8, 2018 at 11:24, Rupert Gallagher  wrote:

> While reading from RIPE below, I recollected numerous cases of spam from 
> domains without own abuse RR. I then remembered making a mental note about 
> writing a SA rule for it, and now realise I just forgot about it.
>
> Is anybody using one such rule already?
>
> https://www.ripe.net/support/abuse

Re: Score maths

[Geoff Soper]

Hi Tom,
Thanks for your explanation, I hadn't appreciated that there was higher 
precision being hidden. 

Thanks,
Geoff

> On 25 Apr 2017, at 09:39, Tom Hendrikx  wrote:
> 
> Hoi Geoff,
> 
> The scores actually have a precision of 3 numerals after the dot. The
> actual score of NO_RELAYS = -0.001. While rounding would still give you
> 3.0 as final score for this message, the actual score is below 3.
> 
> When you would have a ham/spam threshold at exactly 3, and the final
> score would say '3.0', you would be asking why a message with score 3
> wasn't blocked. So the 2.9 indicates that it's not 3 ;)
> 
> Kind regards,
> 
>Tom
> 
>> On 25-04-17 10:27, Geoff Soper wrote:
>> X-Spam-Status: No, Score=2.9
>> 
>> X-Spam-Report:
>> 
>> * -0.0 NO_RELAYS Informational: message was not relayed via SMTP
>> 
>> * 3.0 GS_NO_RLYS_PHP No description available.
>> 
>> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
>> 
>> server.alphaworks.co.uk 
>> 
>> 
>> Can anyone explain why this isn't scoring 3.0?
>> 
>> :)
>> 
> 

Re: Score maths

[Tom Hendrikx]

Hoi Geoff,

The scores actually have a precision of 3 numerals after the dot. The
actual score of NO_RELAYS = -0.001. While rounding would still give you
3.0 as final score for this message, the actual score is below 3.

When you would have a ham/spam threshold at exactly 3, and the final
score would say '3.0', you would be asking why a message with score 3
wasn't blocked. So the 2.9 indicates that it's not 3 ;)

Kind regards,

Tom

On 25-04-17 10:27, Geoff Soper wrote:
> X-Spam-Status: No, Score=2.9
> 
> X-Spam-Report:
> 
> * -0.0 NO_RELAYS Informational: message was not relayed via SMTP
> 
> * 3.0 GS_NO_RLYS_PHP No description available.
> 
> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
> 
> server.alphaworks.co.uk 
> 
> 
> Can anyone explain why this isn't scoring 3.0?
> 
> :)
> 

Re: Score maths

[Benny Pedersen]

Geoff Soper skrev den 2017-04-25 10:27:


Can anyone explain why this isn't scoring 3.0?


take your calculator:

1000/3 = ?

if you take that results with a good calculator and * 3 it will say 1000 
as a result, but most cheap ones say 999 :=)


where did that 1 go ?

Re: Score maths

[Markus Clardy]

A score of -0.0 is actually not 0, it is something like -0.01 (or smaller).

If it had a score of actual 0, it wouldn't trigger.

As such, due to rounding, it ends up becoming 2.9, instead of 3.

On 04/25/2017 09:27 AM, Geoff Soper wrote:


X-Spam-Status: No, Score=2.9

X-Spam-Report:

* -0.0 NO_RELAYS Informational: message was not relayed via SMTP

* 3.0 GS_NO_RLYS_PHP No description available.

X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on

server.alphaworks.co.uk 


Can anyone explain why this isn't scoring 3.0?

:)

Re: Score Assignment

[RW]

On Sun, 28 Feb 2016 12:53:31 -0500
Roman Gelfand wrote:

> Consider the following header
> 
> X-Spam-Status: No, score=4.4 required=5.0
> tests=AWL,BAYES_99,BAYES_999,
> DCC_CHECK,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,
> RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.2
> 
> 
> Where the scores configured for the above test?  Also, if there is a
> command that would show the running scores for these tests.

Note that the configured scores may have been changed by the time you
look them  up.

You might find it useful to add this to your config:


add_header all Report _REPORT_


Alternately if you don't want to add another header, you can redefine
X-Spam-Status to show the scores with:


add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTSCORES_ 
autolearn=_AUTOLEARN_ version=_VERSION_

Re: Score Assignment

[Reindl Harald]

Am 28.02.2016 um 18:53 schrieb Roman Gelfand:

Consider the following header

X-Spam-Status: No, score=4.4 required=5.0 tests=AWL,BAYES_99,BAYES_999,
DCC_CHECK,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,
RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=no version=3.3.2


Where the scores configured for the above test?  Also, if there is a command 
that would show the running scores for these tests.



[root@mail-gw:~]$ sa-score.sh SPF_PASS
/usr/share/spamassassin
score SPF_PASS -0.001

/var/lib/spamassassin/3.004001/updates_spamassassin_org
score SPF_PASS -0.001

/etc/mail/spamassassin/local-*.cf
score SPF_PASS -0.05
_

[root@mail-gw:~]$ cat /usr/local/bin/sa-score.sh
#!/usr/bin/bash

su -c "/usr/bin/bash /usr/local/bin/workers/sa-score.sh $1" - sa-milt
[root@mail-gw:~]$ cat /usr/local/bin/workers/sa-score.sh
_

#!/usr/bin/bash

UPDATE_DIR="/var/lib/spamassassin/3.004001/updates_spamassassin_org"

echo "/usr/share/spamassassin"
cat /usr/share/spamassassin/*.cf | grep --text "score" | grep --text -v 
-P '^#' | grep --text --color "$1"

echo ""

echo "$UPDATE_DIR"
cat $UPDATE_DIR/*.cf | grep --text "score" | grep --text -v -P '^#' | 
grep --text --color "$1"

echo ""

echo "/etc/mail/spamassassin/local-*.cf"
cat /etc/mail/spamassassin/local*.cf | grep --text "score" | grep --text 
-v -P '^#' | grep --text --color "$1"




signature.asc
Description: OpenPGP digital signature

Re: score=19.9 points, tflags=autolearn_force; = autolearn=no autolearn_force=no; WTF?

[Kevin A. McGrail]

On 4/21/2015 11:48 PM, David B Funk wrote:

I've got some home-grown rules that I trust to which have added
tflags autolearn_force

Recently I've seen some spam that hit those rules and racked up enough
points that they should have auto-learned. But the scoring analysis
explicitly says autolearn=no autolearn_force=no.

What's going on here?
Different rules are categorized differently and you likely aren't 
hitting the requirements:


The score threshold above which a mail has to score, to be fed into
SpamAssassin's learning systems automatically as a spam message.

Note: SpamAssassin requires at least 3 points from the header, and 3
points from the body to auto-learn as spam.  Therefore, the minimum
working value for this option is 6.

If the test option autolearn_force is set, the minimum value will
remain at 6 points but there is no requirement that the points come
from body and header rules.  This option is useful for autolearning
with rules that are considered to be extremely safe indicators of
the spaminess of a message.


is the autolearn_force being ignored because of the initial BAYES_00
score? Is there a 'autolearn_force_yes_I_really_mean_it' tflag that
can be used to overcome that inhibition?



I'd run with debug and look for these debugs:

 dbg(learn: auto-learn: autolearn_force flagged for a rule. 
Removing seperate body and head point threshold.  Body Only Points: 
$body_only_points ($required_body_points req'd) / Head Only Points: 
$head_only_points ($required_head_points req'd));
  dbg(learn: auto-learn: autolearn_force flagged because of 
rule(s): $force_autolearn_names);

} else {
  dbg(learn: auto-learn: autolearn_force not flagged for a rule. 
Body Only Points: $body_only_points ($required_body_points req'd) / Head 
Only Points: $head_only_points ($required_head_points req'd));

}

regards,
KAM

Re: score=19.9 points, tflags=autolearn_force; = autolearn=no autolearn_force=no; WTF?

[RW]

On Tue, 21 Apr 2015 22:48:46 -0500 (CDT)
David B Funk wrote:

 
 is the autolearn_force being ignored because of the initial BAYES_00
 score? 

Yes, a Bayes point in the opposite direction prevents auto-training.
All the force flag does is override the 3+3 rule. 

 Is there a 'autolearn_force_yes_I_really_mean_it' tflag that
 can be used to overcome that inhibition?

Not as such, but it is possible to get that behaviour by transferring
the score of BAYES_00 into two mutually exclusive meta-rules, one marked
learn, and the other noautolearn. The former will retain the
sanity-check and the latter wont.

Re: Score Ignored

[Bowie Bailey]

On 10/8/2014 5:03 PM, Axb wrote:

On 10/08/2014 10:48 PM, Robert A. Ober wrote:

On 9/22/14 4:20 PM, RW wrote:

On Mon, 22 Sep 2014 15:11:44 -0500
Robert A. Ober wrote:



*Yes,  my test messages and SPAM hit the rules but ignore the score.*

What score does it have?

Could it be that the score got set after spamd was restarted?

__

What is the easiest way to know what score is applied per rule? Neither
the server log nor the header breaks it down.

I think the SA's docs show you how

http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.txt


TEMPLATE TAGS

_REPORT_  terse report of tests hit (for header reports)

put this in you local.cf :

add_header all Report _REPORT_

iirc, this will add a nice  X-Spam-Report:  header with a list of rules
AND scores.


This should already be the default for messages marked as spam.  The 
line above will add the report to ham messages as well.


--
Bowie

Re: Score Ignored

[Axb]

On 10/09/2014 03:30 PM, Bowie Bailey wrote:

On 10/8/2014 5:03 PM, Axb wrote:

On 10/08/2014 10:48 PM, Robert A. Ober wrote:

On 9/22/14 4:20 PM, RW wrote:

On Mon, 22 Sep 2014 15:11:44 -0500
Robert A. Ober wrote:



*Yes,  my test messages and SPAM hit the rules but ignore the score.*

What score does it have?

Could it be that the score got set after spamd was restarted?

__

What is the easiest way to know what score is applied per rule? Neither
the server log nor the header breaks it down.

I think the SA's docs show you how

http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.txt


TEMPLATE TAGS

_REPORT_  terse report of tests hit (for header reports)

put this in you local.cf :

add_header all Report _REPORT_

iirc, this will add a nice  X-Spam-Report:  header with a list of rules
AND scores.


This should already be the default for messages marked as spam.  The
line above will add the report to ham messages as well.


I don't see that in the default templates in 10_default_prefs.cf
am I missing something? blind?

if you use report_safe 0 does it really add the full reports?

It's been years since I've used an aboslutely default SA.

Re: Score Ignored

[Bowie Bailey]

On 10/9/2014 9:40 AM, Axb wrote:

On 10/09/2014 03:30 PM, Bowie Bailey wrote:

On 10/8/2014 5:03 PM, Axb wrote:

On 10/08/2014 10:48 PM, Robert A. Ober wrote:

On 9/22/14 4:20 PM, RW wrote:

On Mon, 22 Sep 2014 15:11:44 -0500
Robert A. Ober wrote:



*Yes,  my test messages and SPAM hit the rules but ignore the score.*

What score does it have?

Could it be that the score got set after spamd was restarted?

__

What is the easiest way to know what score is applied per rule? Neither
the server log nor the header breaks it down.

I think the SA's docs show you how

http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.txt


TEMPLATE TAGS

_REPORT_  terse report of tests hit (for header reports)

put this in you local.cf :

add_header all Report _REPORT_

iirc, this will add a nice  X-Spam-Report:  header with a list of rules
AND scores.

This should already be the default for messages marked as spam.  The
line above will add the report to ham messages as well.

I don't see that in the default templates in 10_default_prefs.cf
am I missing something? blind?

if you use report_safe 0 does it really add the full reports?

It's been years since I've used an aboslutely default SA.


I don't know where you would find it in the templates.  I just know that 
by default, SA adds an X-Spam-Report header to spam.  It looks like this 
(blacklisted ip addresses removed to avoid spam filters):


X-Spam-Report:
*  0.8 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server
*  [xx.xx.xx.xx listed in dnsbl.sorbs.net]
* -1.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3)
*  [xx.xx.xx.xx listed in wl.mailspike.net]
*  2.0 BAYES_80 BODY: Bayes spam probability is 80 to 95%
*  [score: 0.8911]
*  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
*  valid
* -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
*  0.0 TVD_SPACE_RATIO No description available.
*  0.8 BODY_URI_ONLY Message body is only a URI in one line of text 
or for

*  an image
*  2.8 TVD_SPACE_RATIO_MINFP No description available.
*  0.2 AWL AWL: From: address is in the auto white-list

Ah!  Apparently, this is only done with a setting of report_safe 0.

From the report_safe section of the Mail::SpamAssassin::Conf man page:
If this option is set to 0, incoming spam is only modified by 
adding some X-Spam- headers
and no changes will be made to the body.  In addition, a header 
named X-Spam-Report will be

added to spam.

The line:
add_header all Report _REPORT_
will add this header to all messages regardless of spam status.

--
Bowie

Re: Score Ignored

[Robert A. Ober]

On 9/22/14 4:20 PM, RW wrote:

On Mon, 22 Sep 2014 15:11:44 -0500
Robert A. Ober wrote:



*Yes,  my test messages and SPAM hit the rules but ignore the score.*

What score does it have?

Could it be that the score got set after spamd was restarted?

__

What is the easiest way to know what score is applied per rule? Neither 
the server log nor the header breaks it down.


Not sure what you mean by the score set after spamd was restarted. Don't 
know how that would happen.


To answer earlier ideas/questions,  I have retyped and the rules are not 
duplicated.


Baffled and annoyed,
Robert A. Ober

Re: Score Ignored

[Axb]

On 10/08/2014 10:48 PM, Robert A. Ober wrote:

On 9/22/14 4:20 PM, RW wrote:

On Mon, 22 Sep 2014 15:11:44 -0500
Robert A. Ober wrote:



*Yes,  my test messages and SPAM hit the rules but ignore the score.*

What score does it have?

Could it be that the score got set after spamd was restarted?

__

What is the easiest way to know what score is applied per rule? Neither
the server log nor the header breaks it down.


I think the SA's docs show you how

http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.txt


TEMPLATE TAGS


_REPORT_  terse report of tests hit (for header reports)

put this in you local.cf :

add_header all Report _REPORT_

iirc, this will add a nice  X-Spam-Report:  header with a list of rules 
AND scores.


and when in doubt, rtfm:
http://spamassassin.apache.org/full/3.4.x/doc/
and/or in the local box via perldoc spamassassin

Re: Score Ignored

[Karsten Bräckelmann]

On Wed, 2014-10-08 at 15:48 -0500, Robert A. Ober wrote:
  On Mon, 22 Sep 2014 15:11:44 -0500 Robert A. Ober wrote:

   *Yes,  my test messages and SPAM hit the rules but ignore the score.*

 What is the easiest way to know what score is applied per rule? Neither 
 the server log nor the header breaks it down.

Wait. If there's no Report, if you do not have the list of rules hit and
its respective scores, how do you tell your custom rule's score is
ignored by SA?


Besides the Report as mentioned by Axb already, you also can modify the
default Status header to include per-rule scores.

add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ 
tests=_TESTSSCORES(,)_ autolearn=_AUTOLEARN_ version=_VERSION_


-- 
char *t=\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Score Ignored

[Alex Regan]

This working elsewhere for me but on my own server the score for the
rules I wrote are being ignored.  Example rule:

header SUBJECT_NOTIFICATION  Subject =~ /\bNotification\b/i
score  SUBJECT_NOTIFICATION  3.0

Spamd uses the rule but does not apply the score.  I am on 3.3.2 on
Mageia 3 with Postfix and Procmail.


What file do you have this rule stored in? Are you sure it's being read 
on start-up?


Have you tried to lint your rules?

# spamassassin --lint

Use spamassassin -t -D  myfile 21 |less and read through the debug 
output for any possible errors and a reference to your cf file.


Regards,
Alex





Any ideas?

Thanks,
Robert A. Ober*

--
Folks,
Please be aware that I am not always watching email so text me
or go old school and call me at 281-772-3596 if you need help within a few 
hours.

Re: Score Ignored

[Robert A. Ober]

On 9/22/14, 12:56 PM, Alex Regan wrote:



This working elsewhere for me but on my own server the score for the
rules I wrote are being ignored.  Example rule:

header SUBJECT_NOTIFICATION  Subject =~ /\bNotification\b/i
score  SUBJECT_NOTIFICATION  3.0

Spamd uses the rule but does not apply the score.  I am on 3.3.2 on
Mageia 3 with Postfix and Procmail.


What file do you have this rule stored in?

__

*local.cf*

Are you sure it's being read on start-up?


_

*Yes,  my test messages and SPAM hit the rules but ignore the score.*


Have you tried to lint your rules?

# spamassassin --lint

_

*That gave me a bunch of redefined errors in IP.pm so I am updating that.*


Use spamassassin -t -D  myfile 21 |less and read through the 
debug output for any possible errors and a reference to your cf file.

__

*So that is fun;-)  Lots to read.   Anyway,  what is to be substituted 
for myfile?  A test message?The local.cf?**

**
**Thanks Much,**
**Robert A. Ober*

Re: Score Ignored

[Bowie Bailey]

On 9/22/2014 4:11 PM, Robert A. Ober wrote:




header SUBJECT_NOTIFICATION  Subject =~ /\bNotification\b/i
score  SUBJECT_NOTIFICATION  3.0


*Yes,  my test messages and SPAM hit the rules but ignore the score.*


Double-check your rule and score lines for any minor typos -- 
particularly in the name of the rule.


--
Bowie

Re: Score Ignored

[David B Funk]

On Mon, 22 Sep 2014, Bowie Bailey wrote:


On 9/22/2014 4:11 PM, Robert A. Ober wrote:




header SUBJECT_NOTIFICATION  Subject =~ /\bNotification\b/i
score  SUBJECT_NOTIFICATION  3.0


*Yes,  my test messages and SPAM hit the rules but ignore the score.*


Double-check your rule and score lines for any minor typos -- particularly in 
the name of the rule.


AND make sure you don't have a subsequent rule that has the same name.
The rule parsing system says last man wins so if there's a subsquent
rule (either in that same file or in another file that is included later
in the parsing process) with the same name it will over-ride your
rule in question.


--
Dave Funk  University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751   FAX: 319/384-0549   1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{

Re: Score Ignored

[RW]

On Mon, 22 Sep 2014 15:11:44 -0500
Robert A. Ober wrote:


 *Yes,  my test messages and SPAM hit the rules but ignore the score.*

What score does it have?

Could it be that the score got set after spamd was restarted?

Re: Score Problem

[John Hardin]

On Wed, 14 May 2014, Bowie Bailey wrote:


On 5/13/2014 6:55 PM, John Hardin wrote:

 On Tue, 13 May 2014, M. Rodrigo Monteiro wrote:

  Below is my SA.
  The problem is that the score is 0.0, but in the debug log has got 
  hit.

  What am I missing?
 Rules whose names begin with two underscores do not contribute to the
 score. You'd need something like:

 meta   SCORED_RULE__UNSCORED_RULE_1  __UNSCORED_RULE_2
 score  SCORED_RULE2.00


Or simply remove the underscores from the start of the name if you want them 
to act (and be scored) as normal rules.


Bear in mind, though, that if you meta some scored rules together into 
another scored rule, the matching text can add to the message's score 
more than once.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Windows Genuine Advantage (WGA) means that now you use your
  computer at the sufferance of Microsoft Corporation. They can
  kill it remotely without your consent at any time for any reason;
  it also shuts down in sympathy when the servers at Microsoft crash.
---
 713 days since the first successful private support mission to ISS (SpaceX)

Re: Score Problem

[Bowie Bailey]

On 5/13/2014 6:55 PM, John Hardin wrote:

On Tue, 13 May 2014, M. Rodrigo Monteiro wrote:


Below is my SA.
The problem is that the score is 0.0, but in the debug log has got hit.
What am I missing?

Rules whose names begin with two underscores do not contribute to the
score. You'd need something like:

meta   SCORED_RULE__UNSCORED_RULE_1  __UNSCORED_RULE_2
score  SCORED_RULE2.00


Or simply remove the underscores from the start of the name if you want 
them to act (and be scored) as normal rules.


--
Bowie

Re: Score Problem

[Toni Schornböck]

M. Rodrigo Monteiro fale...@rodrigomonteiro.net schrieb am 13. Mai
2014 um 20:43 +0200:
The problem is that the score is 0.0, but in the debug log has got hit.
What am I missing?

http://wiki.apache.org/spamassassin/WritingRules
states
rules starting with a double underscore are evaluated with no score, and
are intended for use in meta rules where you don't want the sub-rules to
have a score. 

Re: Score Problem

[Benny Pedersen]

M. Rodrigo Monteiro skrev den 2014-05-13 20:43:

The problem is that the score is 0.0, but in the debug log has got
hit. What am I missing?


remove __ on the meta rules, then it works

ok:

meta foo (__bar  __bare)

not ok:

meta __foo (__bar  __bare)

rules begining with __ cant have scores assigned


AVISO LEGAL


parasol


LEGAL ADVICE


public maillist this does not make sense here

Re: Score Problem

[John Hardin]

On Tue, 13 May 2014, M. Rodrigo Monteiro wrote:


Below is my SA.
The problem is that the score is 0.0, but in the debug log has got hit.
What am I missing?


Rules whose names begin with two underscores do not contribute to the 
score. You'd need something like:


meta   SCORED_RULE__UNSCORED_RULE_1  __UNSCORED_RULE_2
score  SCORED_RULE2.00



--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Teach a man to fish, and he'll eat for life.
  Give him someone else's fish, and he'll vote for you.
---
 712 days since the first successful private support mission to ISS (SpaceX)

Re: Score = 4.9

[RW]

On Sat, 14 Sep 2013 07:24:31 -0400
Joe Acquisto-j4 wrote:

 I've been having various issues with changes to local.cf not taking.
 
 Seem to have resolved these, yet there is one more issue that
 troubles.  (mostly typos apparently, BTW)
 
 So today, after getting changes to BAYES weights to take, I found
 some SPAM gets thru anyway as the score come up short, in my
 arithmetic.  4.9 and not 5.0.   Does it have to do with the -  in
 front of some tests?

Yes the displayed scores are all rounded.

Re: Score = 4.9

[Joe Acquisto-j4]

 On 9/14/2013 at 7:40 AM, RW rwmailli...@googlemail.com wrote:

On Sat, 14 Sep 2013 07:24:31 -0400
Joe Acquisto-j4 wrote:

 I've been having various issues with changes to local.cf not taking.
 
 Seem to have resolved these, yet there is one more issue that
 troubles.  (mostly typos apparently, BTW)
 
 So today, after getting changes to BAYES weights to take, I found
 some SPAM gets thru anyway as the score come up short, in my
 arithmetic.  4.9 and not 5.0.   Does it have to do with the -  in
 front of some tests?

Yes the displayed scores are all rounded.
Yet, just now, I got this:
(which apparently did not round the same way ?? Just trying to understand)
 
X-Spam-Level: **
X-Spam-Status: No, score=3.0 required=5.0 tests=BAYES_50,HTML_MESSAGE,
 SPF_HELO_PASS,SPF_PASS autolearn=no version=3.3.2
X-Spam-Report: 
 * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 *  3.0 BAYES_50 BODY: Bayes spam probability is 40 to 60%
 *  [score: 0.5131]


 

Re: Score = 4.9

[Kevin A. McGrail]

On 9/14/2013 7:24 AM, Joe Acquisto-j4 wrote:

I've been having various issues with changes to local.cf not taking.

Seem to have resolved these, yet there is one more issue that troubles.  
(mostly typos apparently, BTW)

So today, after getting changes to BAYES weights to take, I found some SPAM 
gets thru anyway as the
score come up short, in my arithmetic.  4.9 and not 5.0.   Does it have to do with the 
-  in front of some tests?

You will see  below what I mean:

-

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on open-122
X-Spam-Level: 
X-Spam-Status: No, score=4.9 required=5.0 tests=BAYES_99,HTML_MESSAGE,
SPF_HELO_PASS,SPF_PASS autolearn=no version=3.3.2
X-Spam-Report:
*  5.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
*  [score: 1.]
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.0 SPF_PASS SPF: sender matches SPF record
*  0.0 HTML_MESSAGE BODY: HTML included in message
-

Hi Joe,

It likely has to do with rounding.  That 5.0 is likely a 4.999 or 
something.  So there is floor/ceiling silliness that isn't really 
apparent from the reports.  I think there are also scenarios where the 
rounding / display is done differently and I unified that code in the 
trunk a year or so ago.


Regards,
KAM

Re: Score = 4.9

[Matus UHLAR - fantomas]

On 14.09.13 08:12, Joe Acquisto-j4 wrote:

Yes the displayed scores are all rounded.
Yet, just now, I got this:
(which apparently did not round the same way ?? Just trying to understand)

X-Spam-Level: **
X-Spam-Status: No, score=3.0 required=5.0 tests=BAYES_50,HTML_MESSAGE,
SPF_HELO_PASS,SPF_PASS autolearn=no version=3.3.2
X-Spam-Report:
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.0 SPF_PASS SPF: sender matches SPF record
*  0.0 HTML_MESSAGE BODY: HTML included in message
*  3.0 BAYES_50 BODY: Bayes spam probability is 40 to 60%
*  [score: 0.5131]


did you modify your BAYES scores? Please show us how?

what I've got from SA updates:

score BAYES_50  0  0  2.00.8
score BAYES_99  0  0  3.83.5

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe. 

Re: Score = 4.9

[Joe Acquisto-j4]

 On 9/14/2013 at 11:24 AM, Matus UHLAR - fantomas uh...@fantomas.sk wrote:

On 14.09.13 08:12, Joe Acquisto-j4 wrote:
Yes the displayed scores are all rounded.
Yet, just now, I got this:
(which apparently did not round the same way ?? Just trying to understand)

X-Spam-Level: **
X-Spam-Status: No, score=3.0 required=5.0 tests=BAYES_50,HTML_MESSAGE,
 SPF_HELO_PASS,SPF_PASS autolearn=no version=3.3.2
X-Spam-Report:
 * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 *  3.0 BAYES_50 BODY: Bayes spam probability is 40 to 60%
 *   [score: 0.5131]

did you modify your BAYES scores? Please show us how?

what I've got from SA updates:

score BAYES_50  0  0  2.00.8
score BAYES_99  0  0  3.83.5

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe. 

in local.cf (for example)
 
score BAYES_99  5.0
 
Are there other values to state?  I don't know what the others are for.
 
joe a.
 

 

Re: Score = 4.9

[Joe Acquisto-j4]

 On 9/14/2013 at 10:47 AM, Kevin A. McGrail kmcgr...@pccc.com wrote:

On 9/14/2013 7:24 AM, Joe Acquisto-j4 wrote:
 I've been having various issues with changes to local.cf not taking.

 Seem to have resolved these, yet there is one more issue that troubles.  
 (mostly typos apparently, BTW)

 So today, after getting changes to BAYES weights to take, I found some SPAM 
 gets thru anyway as the
 score come up short, in my arithmetic.  4.9 and not 5.0.   Does it have to do 
 with the -  in front of some tests?

 You will see  below what I mean:

 -

 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on open-122
 X-Spam-Level: 
 X-Spam-Status: No, score=4.9 required=5.0 tests=BAYES_99,HTML_MESSAGE,
   SPF_HELO_PASS,SPF_PASS autolearn=no version=3.3.2
 X-Spam-Report:
   *  5.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
   * [score: 1.]
   * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
   * -0.0 SPF_PASS SPF: sender matches SPF record
   *  0.0 HTML_MESSAGE BODY: HTML included in message
 -
Hi Joe,

It likely has to do with rounding.  That 5.0 is likely a 4.999 or 
something.  So there is floor/ceiling silliness that isn't really 
apparent from the reports.  I think there are also scenarios where the 
rounding / display is done differently and I unified that code in the 
trunk a year or so ago.

Regards,
KAM


Thanks.  For now I just changed the scores to n.1 just for fun.
 
joe a.

Re: Score = 4.9

[Kevin A. McGrail]

  
  
Then likely some of those scores below
  are -0.01 or something similar so they are bumping you JUST under
  5.0
  
  On 9/14/2013 12:29 PM, Joe Acquisto-j4 wrote:


  
  
   On 9/14/2013 at 10:47 AM, "Kevin A. McGrail"
  kmcgr...@pccc.com wrote:
  

  

  On 9/14/2013 7:24 AM, Joe Acquisto-j4 wrote:
 I've been having various issues with changes to
local.cf not "taking".

 Seem to have resolved these, yet there is one more
issue that troubles. (mostly typos apparently, BTW)

 So today, after getting changes to BAYES weights to
"take", I found some SPAM gets thru anyway as the
 score come up short, in my arithmetic. 4.9 and not
5.0. Does it have to do with the "- " in front of some
tests?

 You will see below what I mean:

 -

 X-Spam-Checker-Version: SpamAssassin 3.3.2
(2011-06-06) on open-122
 X-Spam-Level: 
 X-Spam-Status: No, score=4.9 required=5.0
tests=BAYES_99,HTML_MESSAGE,
 SPF_HELO_PASS,SPF_PASS autolearn=no
version=3.3.2
 X-Spam-Report:
 * 5.0 BAYES_99 BODY: Bayes spam probability is
99 to 100%
 * [score: 1.]
 * -0.0 SPF_HELO_PASS SPF: HELO matches SPF
record
 * -0.0 SPF_PASS SPF: sender matches SPF record
 * 0.0 HTML_MESSAGE BODY: HTML included in
message
 -
Hi Joe,

It likely has to do with rounding. That 5.0 is likely a
4.999 or 
something. So there is floor/ceiling silliness that
isn't really 
apparent from the reports. I think there are also
scenarios where the 
rounding / display is done differently and I unified
that code in the 
trunk a year or so ago.

Regards,
KAM


  

  

  
  Thanks. For now I just
changed the scores to n.1 just for fun.
  
  joe a.

  



-- 
  Kevin A. McGrail
  President
  
Peregrine Computer Consultants Corporation
3927 Old Lee Highway, Suite 102-C
Fairfax, VA 22030-2422
  
http://www.pccc.com/
  
703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-359-8451 (fax)
kmcgr...@pccc.com
  
  
  

  

Re: Score = 4.9

[RW]

On Sat, 14 Sep 2013 10:47:33 -0400
Kevin A. McGrail wrote:


 It likely has to do with rounding.  That 5.0 is likely a 4.999 or 
 something.  So there is floor/ceiling silliness that isn't really 
 apparent from the reports.  I think there are also scenarios where
 the rounding / display is done differently and I unified that code in
 the trunk a year or so ago.

But what's surprising about it is that the two examples given differ
only by  the Bayes result of 5.0 and 3.0 and they round down
in X-Spam-Level, but in X-Spam-Status the first rounds down and the
second rounds up.

X-Spam-Level:    
X-Spam-Status: No, score=4.9 ... 
X-Spam-Report: 
*  5.0 BAYES_99 BODY: Bayes spam probability is 99 to 100%
*  [score: 1.]
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* -0.0 SPF_PASS SPF: sender matches SPF record
*  0.0 HTML_MESSAGE BODY: HTML included in message


X-Spam-Level: **
X-Spam-Status: No, score=3.0 ... 
X-Spam-Report: 
 * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
 * -0.0 SPF_PASS SPF: sender matches SPF record
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 *  3.0 BAYES_50 BODY: Bayes spam probability is 40 to 60%
 *  [score: 0.5131]



I'm presuming that the OP has actually defined the Bayes scores at 5.0
and 3.0.

No RBL checks - was - Re: score 0 autolearn=ham

[Joseph Acquisto]

 On 11/5/2012 at 6:44 PM, Joseph Acquisto j...@j4computers.com wrote:
 On 11/5/2012 at 10:34 AM, Bowie Bailey bowie_bai...@buc.com wrote:
 On 11/4/2012 10:10 PM, Joseph Acquisto wrote:
 On 11/4/2012 at 4:09 PM, Jari Fredriksson ja...@iki.fi wrote:
 04.11.2012 22:33, Joseph Acquisto kirjoitti:
 I'd love to use RBL but understand I can't, as the last IP is always the
 same, as I fetch all mail
 from a single POP.Perhaps I am missing something?
 Yes. You put that single POP ESP address to your trusted networks.
 Then it works as designed.

 It is there, and has been, but RBL's are not being used, at all, it appears.

 Using lint I see:
 . . .
 Nov  4 20:58:40.611 [21327] dbg: config: read file 
 /etc/mail/spamassassin/local.cf
 Nov  4 20:58:40.611 [21327] dbg: config: using 
 /root/.spamassassin/user_prefs for user prefs file
 . . .
 Nov  4 20:58:40.434 [21327] dbg: dns: is Net::DNS::Resolver available? yes
 . . .
 Nov  4 20:58:40.625 [21327] dbg: plugin: loading 
 Mail::SpamAssassin::Plugin::SpamCop from @INC
 Nov  4 20:58:40.627 [21327] dbg: reporter: local tests only, disabling 
 SpamCop
 . . . .

 I see no mention of SpamHaus, or others, which I understood to be enabled 
 by 
 
 default.  I have not disabled any of them, as far as I can tell.
 
 You don't have the skip_rbl_checks option set in the config or -L or 
 --local on your spamd config line do you?
 
 -- 
 Bowie
 
 You mean in /etc/sysconfig/spamd ?
 
 Oh, no, no, never . . . ok, yes.
 
 (But it says *default*)
 
 joe a.

Hey, Guess What?  All of a sudden it started working . . .all by it self . . . 
Yeah, yeah, that's it . . .  that's the ticket . . . 

My thanks to one and all . . . I am beside myself with barely suppressed 
Joy . . .  I should go now, before I try more one-liners . . . 

joe a.

Re: score 0 autolearn=ham

[Bowie Bailey]

On 11/4/2012 10:10 PM, Joseph Acquisto wrote:

On 11/4/2012 at 4:09 PM, Jari Fredriksson ja...@iki.fi wrote:

04.11.2012 22:33, Joseph Acquisto kirjoitti:

I'd love to use RBL but understand I can't, as the last IP is always the

same, as I fetch all mail

from a single POP.Perhaps I am missing something?

Yes. You put that single POP ESP address to your trusted networks.
Then it works as designed.


It is there, and has been, but RBL's are not being used, at all, it appears.

Using lint I see:
. . .
Nov  4 20:58:40.611 [21327] dbg: config: read file 
/etc/mail/spamassassin/local.cf
Nov  4 20:58:40.611 [21327] dbg: config: using /root/.spamassassin/user_prefs 
for user prefs file
. . .
Nov  4 20:58:40.434 [21327] dbg: dns: is Net::DNS::Resolver available? yes
. . .
Nov  4 20:58:40.625 [21327] dbg: plugin: loading 
Mail::SpamAssassin::Plugin::SpamCop from @INC
Nov  4 20:58:40.627 [21327] dbg: reporter: local tests only, disabling SpamCop
. . . .

I see no mention of SpamHaus, or others, which I understood to be enabled by 
default.  I have not disabled any of them, as far as I can tell.


You don't have the skip_rbl_checks option set in the config or -L or 
--local on your spamd config line do you?


--
Bowie

Re: score 0 autolearn=ham

[Joseph Acquisto]

 On 11/5/2012 at 10:34 AM, Bowie Bailey bowie_bai...@buc.com wrote:
 On 11/4/2012 10:10 PM, Joseph Acquisto wrote:
 On 11/4/2012 at 4:09 PM, Jari Fredriksson ja...@iki.fi wrote:
 04.11.2012 22:33, Joseph Acquisto kirjoitti:
 I'd love to use RBL but understand I can't, as the last IP is always the
 same, as I fetch all mail
 from a single POP.Perhaps I am missing something?
 Yes. You put that single POP ESP address to your trusted networks.
 Then it works as designed.

 It is there, and has been, but RBL's are not being used, at all, it appears.

 Using lint I see:
 . . .
 Nov  4 20:58:40.611 [21327] dbg: config: read file 
 /etc/mail/spamassassin/local.cf
 Nov  4 20:58:40.611 [21327] dbg: config: using 
 /root/.spamassassin/user_prefs for user prefs file
 . . .
 Nov  4 20:58:40.434 [21327] dbg: dns: is Net::DNS::Resolver available? yes
 . . .
 Nov  4 20:58:40.625 [21327] dbg: plugin: loading 
 Mail::SpamAssassin::Plugin::SpamCop from @INC
 Nov  4 20:58:40.627 [21327] dbg: reporter: local tests only, disabling 
 SpamCop
 . . . .

 I see no mention of SpamHaus, or others, which I understood to be enabled by 
 default.  I have not disabled any of them, as far as I can tell.
 
 You don't have the skip_rbl_checks option set in the config or -L or 
 --local on your spamd config line do you?
 
 -- 
 Bowie

You mean in /etc/sysconfig/spamd ?

Oh, no, no, never . . . ok, yes.

(But it says *default*)

joe a.

Re: score 0 autolearn=ham

[Joseph Acquisto]

 On 11/3/2012 at 9:15 PM, Joseph Acquisto j...@j4computers.com wrote:
 Why do these score 0 ?
 
 http://pastebin.com/U4zFu8wk 
 http://pastebin.com/MV9KbnbU 

Two more this AM.  I did not bother posting these, they're virtually identical. 
 Pastebin will expire the evening.

Obvious SPAM/MAlware.   I had once asked about a rule that could specify a 
domain (to ban) in an htlm link in the message body.
I don't recall this being entirely successful.

I recall doing some early work, which hit via command line operation (perlish 
regex checks) but never seemed to work when put in
local.cf

joe a.