Re: Why is RP_MATCHES_RCVD so "heavy"?
Matus UHLAR - fantomaswrites: >>Eric Abrahamsen wrote: >>> I get a lot of spam that passes the RP_MATCHES_RCVD test; it wouldn't >>> make it into my inbox otherwise. I see the scoring recently got bumped >>> to -3.0, which makes false negatives even more likely. >>> >>> I'm not expert enough in the nature of spam to really understand why >>> this test is so strong, nor to feel confident in simply whacking a few >>> points off it without knowing more. >>> >>> In the year or so that I've been running my own mail server, I don't >>> think I've seen a *single* false positive (at least not one that I >>> noticed), but get maybe an average of two spam mails into my inbox every >>> day. I've beefed up the BAYES scores, and that helped, but haven't >>> tweaked anything else. >>> >>> Can anyone tell me why it's scored so heavily? Would it be a bad idea to >>> just drop it down to -1.5 or something? > > On 23.11.16 10:29, Kris Deugau wrote: >>This is a rule whose usefulness is likely to vary a lot more for your >>mail stream. >> >>Locally, I found it was firing on enough of the reported false-negatives >>that I squashed it down to a purely advisory -0.001 quite a while ago, >>and I haven't seen any issues with doing so. >> >>I didn't disable it outright as some others do, since it's used in >>several meta rules. > > meta rules should match __RP_MATCHES_RCVD which is exactly the same rule > - blanking RP_MATCHES_RCVD should make no difference > > Thus I (again) recommend blanking it... Thanks to all of you for the responses! I'll weaken the rule a bit and see how it goes -- looking at total scores for the spam that makes it past SA, just a point or two should do it. It was helpful seeing everyone's thought-process here, thanks again. E
Re: Why is RP_MATCHES_RCVD so "heavy"?
Eric Abrahamsen wrote: I get a lot of spam that passes the RP_MATCHES_RCVD test; it wouldn't make it into my inbox otherwise. I see the scoring recently got bumped to -3.0, which makes false negatives even more likely. I'm not expert enough in the nature of spam to really understand why this test is so strong, nor to feel confident in simply whacking a few points off it without knowing more. In the year or so that I've been running my own mail server, I don't think I've seen a *single* false positive (at least not one that I noticed), but get maybe an average of two spam mails into my inbox every day. I've beefed up the BAYES scores, and that helped, but haven't tweaked anything else. Can anyone tell me why it's scored so heavily? Would it be a bad idea to just drop it down to -1.5 or something? On 23.11.16 10:29, Kris Deugau wrote: This is a rule whose usefulness is likely to vary a lot more for your mail stream. Locally, I found it was firing on enough of the reported false-negatives that I squashed it down to a purely advisory -0.001 quite a while ago, and I haven't seen any issues with doing so. I didn't disable it outright as some others do, since it's used in several meta rules. meta rules should match __RP_MATCHES_RCVD which is exactly the same rule - blanking RP_MATCHES_RCVD should make no difference Thus I (again) recommend blanking it... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains?
Re: Why is RP_MATCHES_RCVD so "heavy"?
Eric Abrahamsen wrote: > I get a lot of spam that passes the RP_MATCHES_RCVD test; it wouldn't > make it into my inbox otherwise. I see the scoring recently got bumped > to -3.0, which makes false negatives even more likely. > > I'm not expert enough in the nature of spam to really understand why > this test is so strong, nor to feel confident in simply whacking a few > points off it without knowing more. > > In the year or so that I've been running my own mail server, I don't > think I've seen a *single* false positive (at least not one that I > noticed), but get maybe an average of two spam mails into my inbox every > day. I've beefed up the BAYES scores, and that helped, but haven't > tweaked anything else. > > Can anyone tell me why it's scored so heavily? Would it be a bad idea to > just drop it down to -1.5 or something? This is a rule whose usefulness is likely to vary a lot more for your mail stream. Locally, I found it was firing on enough of the reported false-negatives that I squashed it down to a purely advisory -0.001 quite a while ago, and I haven't seen any issues with doing so. I didn't disable it outright as some others do, since it's used in several meta rules. -kgd
Re: Why is RP_MATCHES_RCVD so "heavy"?
On 22 Nov 2016, at 17:54, Eric Abrahamsen wrote: I get a lot of spam that passes the RP_MATCHES_RCVD test; it wouldn't make it into my inbox otherwise. I see the scoring recently got bumped to -3.0, which makes false negatives even more likely. I'm not expert enough in the nature of spam to really understand why this test is so strong, nor to feel confident in simply whacking a few points off it without knowing more. In the year or so that I've been running my own mail server, I don't think I've seen a *single* false positive (at least not one that I noticed), but get maybe an average of two spam mails into my inbox every day. I've beefed up the BAYES scores, and that helped, but haven't tweaked anything else. Can anyone tell me why it's scored so heavily? Probably someone more intimate withe the RuleQA process can explain it. To me it looks too noisy to be scored so strongly, and for years I've had it pegged for my systems at -0.3. I suspect that much of the non-matching spam is stuff that many sites exclude well ahead of SA, so it is not as indicative in production systems as it is in RuleQA. Would it be a bad idea to just drop it down to -1.5 or something? In the past 2 years on multiple mail systems I have had no indication of any false positives which would have been cured by a stronger ham score for RP_MATCHES_RCVD. My reduction to -0.3 was based on the rule chronically redeeming a stream of snowshoe spam that was otherwise scoring in the ~6 range. Whether and how far you reduce its power should be based on your local circumstances, but -1.5 strikes me as probably a reasonable & prudent guess in the absence of careful analysis.
Re: Why is RP_MATCHES_RCVD so "heavy"?
On Nov 22, 2016, at 3:54 PM, Eric Abrahamsenwrote: > I get a lot of spam that passes the RP_MATCHES_RCVD test; it wouldn't > make it into my inbox otherwise. I see the scoring recently got bumped > to -3.0, which makes false negatives even more likely. I do see this in spam, but I see it so much more in ham that I’ve not changed the score. The spam that does hit it seems to score very highly in other areas (bayes_99 and bayes_999 especially). I see it in a lot of mail that is often tagged by the user as spam, but os not actually spam. For example, emails from macy’s or target which the user did sign up for, but is too lazy to unsubscribe. But run it against your corpus and adjust the score as needed.
Re: Why is RP_MATCHES_RCVD so "heavy"?
On 2016-11-22 14:54, Eric Abrahamsen wrote: > Can anyone tell me why it's scored so heavily? Would it be a bad idea > to just drop it down to -1.5 or something? I score it as 0, and I think a number of others on this list (with much more expertise than me) do the same. -- Please *no* private Cc: on mailing lists and newsgroups Personal signed mail: please _encrypt_ and sign Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html
Why is RP_MATCHES_RCVD so "heavy"?
I get a lot of spam that passes the RP_MATCHES_RCVD test; it wouldn't make it into my inbox otherwise. I see the scoring recently got bumped to -3.0, which makes false negatives even more likely. I'm not expert enough in the nature of spam to really understand why this test is so strong, nor to feel confident in simply whacking a few points off it without knowing more. In the year or so that I've been running my own mail server, I don't think I've seen a *single* false positive (at least not one that I noticed), but get maybe an average of two spam mails into my inbox every day. I've beefed up the BAYES scores, and that helped, but haven't tweaked anything else. Can anyone tell me why it's scored so heavily? Would it be a bad idea to just drop it down to -1.5 or something? Thanks, Eric