Are you positive those are real messages? Just looking at the messages I'd
be dead positive the first one was a spam, and the others with the bad HELO
sound awfully fishy to me.
Loren
----- Original Message -----
From: "Dana Holland" <[EMAIL PROTECTED]>
To: "Loren Wilton" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Monday, February 16, 2004 2:45 PM
Subject: Re: false positives from AOL
> Here are some of them - they do all have a lot in common - but I'm not
> experience enough with this to completely understand what it's telling me:
>
> 1.
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.3 NO_REAL_NAME From: does not include a real name
> 0.9 HTML_30_40 BODY: Message is 30% to 40% HTML
> -0.0 BAYES_44 BODY: Bayesian spam probability is 44 to 50%
> [score: 0.4998]
> 0.2 HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced "body" tags
> 0.1 HTML_MESSAGE BODY: HTML included in message
> 0.3 HTML_FONT_BIG BODY: HTML has a big font
> 0.1 HTML_FONTCOLOR_UNSAFE BODY: HTML font color not in safe 6x6x6
palette
> 0.1 HTML_TAG_BALANCE_HTML BODY: HTML has unbalanced "html" tags
> 2.9 NO_RDNS_DOTCOM_HELO Host HELO'd as a big ISP, but had no rDNS
> 1.8 FAKE_HELO_AOL Host HELO did not match rDNS: aol.com
>
> 2.
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.3 NO_REAL_NAME From: does not include a real name
> -0.0 BAYES_44 BODY: Bayesian spam probability is 44 to 50%
> [score: 0.4480]
> 0.1 HTML_MESSAGE BODY: HTML included in message
> 0.5 HTML_50_60 BODY: Message is 50% to 60% HTML
> 2.9 NO_RDNS_DOTCOM_HELO Host HELO'd as a big ISP, but had no rDNS
> 1.8 FAKE_HELO_AOL Host HELO did not match rDNS: aol.com
>
> 3.
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.3 NO_REAL_NAME From: does not include a real name
> 0.9 HTML_40_50 BODY: Message is 40% to 50% HTML
> -0.0 BAYES_44 BODY: Bayesian spam probability is 44 to 50%
> [score: 0.4995]
> 0.1 HTML_MESSAGE BODY: HTML included in message
> 0.1 HTML_TAG_BALANCE_HTML BODY: HTML has unbalanced "html" tags
> 2.9 NO_RDNS_DOTCOM_HELO Host HELO'd as a big ISP, but had no rDNS
> 1.8 FAKE_HELO_AOL Host HELO did not match rDNS: aol.com
>
> 4.
> pts rule name description
> ---- ----------------------
> --------------------------------------------------
> 0.3 NO_REAL_NAME From: does not include a real name
> 0.1 HTML_MESSAGE BODY: HTML included in message
> 0.0 BAYES_50 BODY: Bayesian spam probability is 50 to 56%
> [score: 0.5150]
> 0.3 HTML_70_80 BODY: Message is 70% to 80% HTML
> 2.9 NO_RDNS_DOTCOM_HELO Host HELO'd as a big ISP, but had no rDNS
> 1.8 FAKE_HELO_AOL Host HELO did not match rDNS: aol.com
>
>
> Loren Wilton wrote:
>
> > Are you getting hits on anything other than the aol domain in these
> > messages? Where is the score coming from?
> >
> > You can certianly write a 'aol partly ok' rule that only gives a few
points
> > negative.
> >
> > header AOL_MAYBE From =~ /aol\.com/
> > score AOL_MAYBE -5 # maybe ok, maybe not
> >
> > Loren
> >
> >
> > ----- Original Message -----
> > From: "Dana Holland" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Monday, February 16, 2004 2:24 PM
> > Subject: false positives from AOL
> >
> >
> >
> >>It seems that every piece of email from an AOL user is being tagged as
> >>spam. However, this is an educational institution - we receive a lot of
> >>emails from students with AOL accounts. So far I've been trying to put
> >>each student in the white list, but I can tell that's going to be
> >>unmanageable. Is there anything else I could do? Is allowing anything
> >>from AOL through going to be the only option?
> >>
> >>
> >>
> >
> >
> >
> >
>
>
>
