RE: Increase spamassassin bayes99 score

2016-10-14 Thread Dino Edwards
Yasou NiKo, There are a few things that might be going on here. What is the average score of the ham e-mails that you are getting through. The reason I’m asking is can you possibly bring down your required=5.5 score? Every installation is different but our required= score is set to 3.6 and

Re: spam assassin rule to block a From address

2016-10-14 Thread Indunil Jayasooriya
> The "[..]" construct is called a character class, and contains a set of > characters or character ranges that should match a single character in the > source. So "[0-9a-f]" matches a single character that is either a digit 0-9 > or a letter a-f (those example addresses looked suspiciously

RE: spam assassin rule to block a From address

2016-10-14 Thread Kai Risku
There is a small chance of false positives, i.e. you are catching *all* email addresses beginning with airecom612. You could be a bit more specific and require a hexadecimal string of at least 16 characters also: header SPAM11OctF1 From:addr ~=

Re: spam assassin rule to block a From address

2016-10-14 Thread Indunil Jayasooriya
> Appending the modifier “:addr” to a header name will remove everything from > that header except the first email address. If you are using an anchored > regexp on the email address, then the From:addr test should work, i.e. > > > > header SPAM11OctF1 From:addr ~= >

Re: spam assassin rule to block a From address

2016-10-14 Thread Indunil Jayasooriya
On Fri, Oct 14, 2016 at 2:21 AM, Tom Hendrikx wrote: > > > > On 13-10-16 10:12, Indunil Jayasooriya wrote: >>> >>> You should probably also match only the address, not the full From line, >>> especially when you're anchoring: >> >> >> what's the difference between From and

RE: Increase spamassassin bayes99 score

2016-10-14 Thread Kai Risku
Put this in your local.cf score BAYES_996.0 Personally I think 6.0 is a bit high. There is significant risk of false positive if one single rule can give enough points to block the message. Are you using network tests (RBL blocklists, etc.)? These are usually very effective.

RE: spam assassin rule to block a From address

2016-10-14 Thread Kai Risku
Appending the modifier “:addr” to a header name will remove everything from that header except the first email address. If you are using an anchored regexp on the email address, then the From:addr test should work, i.e. header SPAM11OctF1 From:addr ~=