Re: Strange behaviour by the AWL module
On 12/12/15 23:43, Benny Pedersen wrote: On December 12, 2015 8:33:28 PM Sebastian Arcus wrote: I guess I must be using the default settings - as I don't think I've configured anything in particular for AWL change default /16 cidr to new default /24 for ipv4, for ipv6 use /64, if you like to track on /32 for ipv4 then each ipv4 wil, have no shared awl scores possible also change defaul awl faktory from 0.5 to 0.25 will reduce how much benefit from previous score if changeing settings, delete awl db Thank you - for the time being I've disabled the AWL module - as I've worked out that on my type of setup it doesn't appear to be really needed.
Re: Strange behaviour by the AWL module
On 12/12/15 19:57, John Hardin wrote: On Sat, 12 Dec 2015, Sebastian Arcus wrote: On 12/12/15 18:21, John Hardin wrote: On Sat, 12 Dec 2015, Sebastian Arcus wrote: > One of my servers received a spam message which SA missed, with the > following report: > > -0.4 AWLAWL: Adjusted score from AWL reputation of > From: address > > After learning the messages as spam into bayes with sa-learn, I get the > following report: > > -6.1 AWLAWL: Adjusted score from AWL reputation of > From: address > > > Luckily the message is now flagged as spam because I have manually > turned up the score on my BAYES_99 and BAYES_999 awhile ago. But what > intrigues me is that now the AWL module gives it a -6.1 score. Why would > AWL now tilt things heavily towards ham, after the message has just been > learned as spam? It seems to be making things worse instead of better. > Unless I am misunderstanding what AWL is supposed to be doing? You are. The name is misleading. AWL is more a score averager than a whitelist. It's intended to allow for the occasionally spammy-looking email from a historically hammy sender (and vice versa). It has nothing to do with training, which only affect Bayes. Messages from that sender will get negative AWL scores for a while until their traffic history becomes more on the "spam" side. OK - that's kind of what I assumed. What I don't understand is why the AWL score changes after the message has been learned into the Bayes database - and by so much? It's not that you trained it into Bayes, but that SA had previously only seen email from that source address that was scored as ham. I'm assuming that's the first message you got from that source address? So their entire AWL history is 100% hammy based on the original FN. You scan the message again, it scores as spammy now for whatever reason; SA checks the AWL history for that sender address and sees "100% hammy" and generates a partially-ofsetting negative score. As that sender's AWL history shifts from "100% hammy" towards "99% spammy" (assuming you ever get mail from that address again) the offsetting score will head towards zero. I don't *think* AWL will generate positive scores for spams from a historically spammy sender (i.e. I think AWL is purely to offset the raw score for anomalies), so you should see AWL scores stop once their history is "mostly spammy". Thank you for that explanation!
Re: Strange behaviour by the AWL module
On December 12, 2015 8:33:28 PM Sebastian Arcus wrote: I guess I must be using the default settings - as I don't think I've configured anything in particular for AWL change default /16 cidr to new default /24 for ipv4, for ipv6 use /64, if you like to track on /32 for ipv4 then each ipv4 wil, have no shared awl scores possible also change defaul awl faktory from 0.5 to 0.25 will reduce how much benefit from previous score if changeing settings, delete awl db
Re: Strange behaviour by the AWL module
On Sat, 12 Dec 2015, Sebastian Arcus wrote: On 12/12/15 18:21, John Hardin wrote: On Sat, 12 Dec 2015, Sebastian Arcus wrote: > One of my servers received a spam message which SA missed, with the > following report: > > -0.4 AWLAWL: Adjusted score from AWL reputation of > From: address > > After learning the messages as spam into bayes with sa-learn, I get the > following report: > > -6.1 AWLAWL: Adjusted score from AWL reputation of > From: address > > > Luckily the message is now flagged as spam because I have manually > turned up the score on my BAYES_99 and BAYES_999 awhile ago. But what > intrigues me is that now the AWL module gives it a -6.1 score. Why would > AWL now tilt things heavily towards ham, after the message has just been > learned as spam? It seems to be making things worse instead of better. > Unless I am misunderstanding what AWL is supposed to be doing? You are. The name is misleading. AWL is more a score averager than a whitelist. It's intended to allow for the occasionally spammy-looking email from a historically hammy sender (and vice versa). It has nothing to do with training, which only affect Bayes. Messages from that sender will get negative AWL scores for a while until their traffic history becomes more on the "spam" side. OK - that's kind of what I assumed. What I don't understand is why the AWL score changes after the message has been learned into the Bayes database - and by so much? It's not that you trained it into Bayes, but that SA had previously only seen email from that source address that was scored as ham. I'm assuming that's the first message you got from that source address? So their entire AWL history is 100% hammy based on the original FN. You scan the message again, it scores as spammy now for whatever reason; SA checks the AWL history for that sender address and sees "100% hammy" and generates a partially-ofsetting negative score. As that sender's AWL history shifts from "100% hammy" towards "99% spammy" (assuming you ever get mail from that address again) the offsetting score will head towards zero. I don't *think* AWL will generate positive scores for spams from a historically spammy sender (i.e. I think AWL is purely to offset the raw score for anomalies), so you should see AWL scores stop once their history is "mostly spammy". -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If you are "fighting for social justice," then you are defining yourself as someone who considers regular old everyday *equal* justice to be something you don't want. -- GOF at TSM --- 3 days until Bill of Rights day
Re: Strange behaviour by the AWL module
On 12/12/15 13:06, Benny Pedersen wrote: Sebastian Arcus skrev den 2015-12-12 12:51: Why would AWL now tilt things heavily towards ham, after the message has just been learned as spam? its how AWL works It seems to be making things worse instead of better. Unless I am misunderstanding what AWL is supposed to be doing? what are your settings for AWL plugin ? I guess I must be using the default settings - as I don't think I've configured anything in particular for AWL
Re: Strange behaviour by the AWL module
On 12/12/15 18:21, John Hardin wrote: On Sat, 12 Dec 2015, Sebastian Arcus wrote: One of my servers received a spam message which SA missed, with the following report: -0.4 AWLAWL: Adjusted score from AWL reputation of From: address After learning the messages as spam into bayes with sa-learn, I get the following report: -6.1 AWLAWL: Adjusted score from AWL reputation of From: address Luckily the message is now flagged as spam because I have manually turned up the score on my BAYES_99 and BAYES_999 awhile ago. But what intrigues me is that now the AWL module gives it a -6.1 score. Why would AWL now tilt things heavily towards ham, after the message has just been learned as spam? It seems to be making things worse instead of better. Unless I am misunderstanding what AWL is supposed to be doing? You are. The name is misleading. AWL is more a score averager than a whitelist. It's intended to allow for the occasionally spammy-looking email from a historically hammy sender (and vice versa). It has nothing to do with training, which only affect Bayes. Messages from that sender will get negative AWL scores for a while until their traffic history becomes more on the "spam" side. OK - that's kind of what I assumed. What I don't understand is why the AWL score changes after the message has been learned into the Bayes database - and by so much?
Re: Strange behaviour by the AWL module
On Sat, 12 Dec 2015, Sebastian Arcus wrote: One of my servers received a spam message which SA missed, with the following report: -0.4 AWLAWL: Adjusted score from AWL reputation of From: address After learning the messages as spam into bayes with sa-learn, I get the following report: -6.1 AWLAWL: Adjusted score from AWL reputation of From: address Luckily the message is now flagged as spam because I have manually turned up the score on my BAYES_99 and BAYES_999 awhile ago. But what intrigues me is that now the AWL module gives it a -6.1 score. Why would AWL now tilt things heavily towards ham, after the message has just been learned as spam? It seems to be making things worse instead of better. Unless I am misunderstanding what AWL is supposed to be doing? You are. The name is misleading. AWL is more a score averager than a whitelist. It's intended to allow for the occasionally spammy-looking email from a historically hammy sender (and vice versa). It has nothing to do with training, which only affect Bayes. Messages from that sender will get negative AWL scores for a while until their traffic history becomes more on the "spam" side. A lot of people just turn AWL off, or use a newer replacement called txrep. I think there's a way to wipe the AWL history for a given sender; I don't recall what it is off the top of my head, though. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- When fascism comes to America, it will be wrapped in "Diversity" and demanding "Safe Spaces." -- Mona Charen --- 3 days until Bill of Rights day
Re: Strange behaviour by the AWL module
Sebastian Arcus skrev den 2015-12-12 12:51: Why would AWL now tilt things heavily towards ham, after the message has just been learned as spam? its how AWL works It seems to be making things worse instead of better. Unless I am misunderstanding what AWL is supposed to be doing? what are your settings for AWL plugin ?
Strange behaviour by the AWL module
One of my servers received a spam message which SA missed, with the following report: Content analysis details: (3.1 points, 5.0 required) pts rule name description -- -- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (noreply[at]live.com) 0.0 HTML_MESSAGE BODY: HTML included in message 1.5 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4993] 2.0 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines -0.4 AWLAWL: Adjusted score from AWL reputation of From: address After learning the messages as spam into bayes with sa-learn, I get the following report: Content analysis details: (8.8 points, 5.0 required) pts rule name description -- -- 4.9 BAYES_99 BODY: Bayes spam probability is 99 to 100% [score: 1.] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (noreply[at]live.com) 0.0 HTML_MESSAGE BODY: HTML included in message 8.0 BAYES_999 BODY: Bayes spam probability is 99.9 to 100% [score: 1.] 2.0 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/) 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines -6.1 AWLAWL: Adjusted score from AWL reputation of From: address Luckily the message is now flagged as spam because I have manually turned up the score on my BAYES_99 and BAYES_999 awhile ago. But what intrigues me is that now the AWL module gives it a -6.1 score. Why would AWL now tilt things heavily towards ham, after the message has just been learned as spam? It seems to be making things worse instead of better. Unless I am misunderstanding what AWL is supposed to be doing?