subject:"Re\: spam that only hits the BAYES

Re: spam that only hits the BAYES_99 rule

2006-11-12 Thread Tom H


Matt Kettler wrote:

Tom H wrote:
  

Hi,

I was getting hit by a great deal of spam that only hits the BAYES_99

I would be grateful for any ideas on this...


Sounds like the message contains a URI that is now listed in many of the
SURBL and URIBL lists.

 It may be that this got listed after you got the spam, but do you have
network tests enabled?


  
There is a url in the domain that definitely hits some of the URIBLs 
(results from the SURBL+ Checker on rulesemporium )


   * RBL: skipping uri lookups on ip-based RBLs
   * URIBL: multi.surbl.org: *listed* [Blocked,
 madesucxxxntiondetunhadesu.com on lists [ab][jp][ob][sc][ws],
 See: http://www.surbl.org/lists.html]
   * URIBL: multi.uribl.com: *listed* [Blacklisted, see
 http://lookup.uribl.com/?domain=madesuntioxxxndetunxxxhadesu.com
 http://lookup.uribl.com/?domain=madesuntiondetunhadesu.com]

However I don't seem to get any score for those, even though 
spamassassin is clearly running the network tests, as I can see from the 
debug output;


[EMAIL PROTECTED] ~]# spamassassin -t -D -p /etc/mail/sa-mimedefang.cf  
/usr/share/doc/spamassassin-3.1.4/sample-spam.txt


snip

[27826] dbg: uridnsbl: domains to query:
[27826] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set sblxbl
[27826] dbg: dns: checking RBL sa-other.bondedsender.org., set bsp-untrusted
[27826] dbg: dns: checking RBL combined.njabl.org., set njabl-lastexternal
[27826] dbg: dns: checking RBL combined.njabl.org., set njabl
[27826] dbg: dns: checking RBL bl.spamcop.net., set spamcop
[27826] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs-lastexternal
[27826] dbg: dns: checking RBL dnsbl.sorbs.net., set sorbs
[27826] dbg: dns: checking RBL sbl-xbl.spamhaus.org., set 
sblxbl-lastexternal
[27826] dbg: dns: checking RBL sa-accredit.habeas.com., set 
habeas-firsttrusted
[27826] dbg: dns: checking RBL 
combined-HIB.dnsiplists.completewhois.com., set whois

[27826] dbg: dns: checking RBL list.dsbl.org., set dsbl-lastexternal
[27826] dbg: dns: checking RBL sa-trusted.bondedsender.org., set 
bsp-firsttrusted
[27826] dbg: dns: checking RBL 
combined-HIB.dnsiplists.completewhois.com., set whois-lastexternal

[27826] dbg: dns: checking RBL iadb.isipp.com., set iadb-firsttrusted

snip

Content analysis details:   (999.9 points, 4.5 required)

pts rule name  description
 -- 
--

-0.0 NO_RELAYS  Informational: message was not relayed via SMTP
1000 GTUBE  BODY: Generic Test for Unsolicited Bulk Email
-0.2 BAYES_40   BODY: Bayesian spam probability is 20 to 40%
   [score: 0.2288]
-0.0 NO_RECEIVEDInformational: message has no Received headers
0.1 AWLAWL: From: address is in the auto white-list



my sa-defang.cf is ;


required_hits4.5
ok_localesen
rewrite_subject 1
# report_header 1
# use_terse_report 0
# defang_mime 0
# skip_rbl_checks 0
#Enable bayes
auto_learn 1
use_bayes 1
bayes_path  /var/spool/MIMEDefang/.spamassassin/bayes
bayes_file_mode 0666

Re: spam that only hits the BAYES_99 rule

2006-11-12 Thread Matt Kettler

Tom H wrote:
 Matt Kettler wrote:
 Tom H wrote:
  
 Hi,

 I was getting hit by a great deal of spam that only hits the BAYES_99

 I would be grateful for any ideas on this...
 
 Sounds like the message contains a URI that is now listed in many of the
 SURBL and URIBL lists.

  It may be that this got listed after you got the spam, but do you have
 network tests enabled?


   
 There is a url in the domain that definitely hits some of the URIBLs
 (results from the SURBL+ Checker on rulesemporium )

* RBL: skipping uri lookups on ip-based RBLs
* URIBL: multi.surbl.org: *listed* [Blocked,
  madesucxxxntiondetunhadesu.com on lists [ab][jp][ob][sc][ws],
  See: http://www.surbl.org/lists.html]
* URIBL: multi.uribl.com: *listed* [Blacklisted, see
  http://lookup.uribl.com/?domain=madesuntioxxxndetunxxxhadesu.com
  http://lookup.uribl.com/?domain=madesuntiondetunhadesu.com]

 However I don't seem to get any score for those, even though
 spamassassin is clearly running the network tests, as I can see from
 the debug output;

 [EMAIL PROTECTED] ~]# spamassassin -t -D -p /etc/mail/sa-mimedefang.cf 
 /usr/share/doc/spamassassin-3.1.4/sample-spam.txt

Is there any chance your init.pre is missing from
/etc/mail/spamassassin? Or does it have the URIBL plugin commented out?

It looks like you have working network test,s but not working URIBLs.
The most common cause would be the plugin isn't being loaded by init.pre.

 The other possibility is your Net::DNS is too old to support URIBLs,
but new enough to handle normal RBLs, however, the -D output would
complain if this was the case.

Re: spam that only hits the BAYES_99 rule

2006-11-11 Thread Matt Kettler

Tom H wrote:
 Hi,

 I was getting hit by a great deal of spam that only hits the BAYES_99
 rule, and maybe gets less than a point or so from elsewhere.
 But now I'm getting ones through that are basically only hitting the
 BAYES_99 and nothing else;

 X-Spam-Score: 3.5 (***) BAYES_99

 I tried to send the mail to this list to demonstrate the content but
 got bounced with 12.9 spam score.

 I'm running sa-update weekly, and rules_de_jour daily with a big set
 of rules, and I'm still not hitting loads of obvious spam.
 Particularly those with the title Re: + good and then a number
 appended to the end.

 The only thing I can think of at the moment is to reduce my
 requried_hits to 3.5 or increase the score for BAYES_99 to 5, but I
 would prefer not to do the latter as I like a default and
 automatically updated installation.

 I would be grateful for any ideas on this...
Sounds like the message contains a URI that is now listed in many of the
SURBL and URIBL lists.

 It may be that this got listed after you got the spam, but do you have
network tests enabled?

Re: spam that only hits the BAYES_99 rule

2006-11-11 Thread jdow


From: Tom H [EMAIL PROTECTED]


Hi,

I was getting hit by a great deal of spam that only hits the BAYES_99
rule, and maybe gets less than a point or so from elsewhere.
But now I'm getting ones through that are basically only hitting the
BAYES_99 and nothing else;

X-Spam-Score: 3.5 (***) BAYES_99

I tried to send the mail to this list to demonstrate the content but got 
bounced with 12.9 spam score.


I'm running sa-update weekly, and rules_de_jour daily with a big set of 
rules, and I'm still not hitting loads of obvious spam. Particularly 
those with the title Re: + good and then a number appended to the end.


The only thing I can think of at the moment is to reduce my 
requried_hits to 3.5 or increase the score for BAYES_99 to 5, but I 
would prefer not to do the latter as I like a default and automatically 
updated installation.


I would be grateful for any ideas on this...


Tom, my answer is a cheat. Simply raise Bayes 99 score until you start
seeing false positives from it. Then reduce the score a little. It appears
that either Bayes 99 is pessimistic of its likelihood of being spam or
else one of my few negative scores has saved me from the expected potload
of mismarked ham. I run at 5.0001. (The .0001 is just to be obnoxious
about it.)

{^_^}

Re: spam that only hits the BAYES_99 rule

Re: spam that only hits the BAYES_99 rule

Re: spam that only hits the BAYES_99 rule

Re: spam that only hits the BAYES_99 rule

4 matches

Site Navigation

Mail list logo

Footer information