On 03/09/2018 08:58 AM, RW wrote:
On Fri, 9 Mar 2018 11:09:40 -0300
Robert Boyl wrote:
Hi, everyone
Just wondering, whats your thoughts on Razor?
Havent analysed big amount of emails yet, but Ive had a few cases
where it causes very strange false positives that make no sense.
and adds a lot of points...
RAZOR2_CF_RANGE_51_100 0.36, RAZOR2_CF_RANGE_E8_51_100 2.43,
RAZOR2_CHECK 1.73
That's out of date
score RAZOR2_CHECK 0 1.729 0 0.922 # n=0
score RAZOR2_CF_RANGE_51_100 0 2.430 0 1.886 # n=0 n=2
It says on their site " Detection is done with statistical and
randomized signatures that efficiently spot mutating spam content. "
For example those scores were for a totally legit email that had some
screenshots embedded in the email...
It's nothing to do with that, currently it's based on a combination of
text size and URI domains, it's not far-off being a URIBL.
Also, how to report FP?
RAZOR like DCC and PYZOR shouldn't be used as a sole source of
determining spam. These are indicators that combine with other rule
hits and scores to be one of many factors. If the score was 10 or more
then you would worry about reporting FPs.
If RAZOR scores alone are pushing legit mail over the block threshold,
then you need to do something like whitelist_auth the sender if they are
trustworthy and have good SPF or DKIM, train the Bayes DB better, or add
some custom whitelist rules to bring the score down below 5 -- assuming
you still have the default block threshold at 5.
In theory (if it hasn't fallen-off) you can do it through SA (spamc or
spamassassin) or razor-revoke after registering via razor-admin,
but you would need to build-up a reputation before it carries any
weight. There may be something on the cloudmark site as well.
--
David Jones
