> I assume that "negatively-scored" means that it is less likely to be spam,
> correct?
Yes. Specifically it means a rule with a negative score value.
High positive scores (over some threshold value, usually 5.0) indicate spam.
This score is usually an accumulation of smaller score values from various
rules.
Some things can indicate that the mail is NOT spam. In this case a rule to
catch such a thing would add a *negative* score. So if a known-ham message
had a few spammy things about it, the negative score would make it harder to
score (erroneously) as spam.
The most common negative score are bayes scores below 50. Bayes will also
add positive scores above 50.
> Here is an example of a message that should have been flagged:
>
> X-Spam-Status: No, score=4.7 required=5.0 tests=BAYES_50,HTML_10_20,
HTML_MESSAGE,MIME_HTML_ONLY,RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,
> SARE_RECV_IP_218071,SPF_HELO_PASS,TW_GK,URIBL_SBL autolearn=no
version=3.0.2
>
> How do I read this and what do I do with this? I assume this is what you
> were asking me to look at, right?
> X-Spam-Status: No, score=4.7 required=5.0
The mail isn't spam, it only scored 4.7 and needs to be at least 5.0 to be
spam.
NOTE!!! These score values are ROUNDED TO ONE DIGIT. Many people ask "my
mail shows 5.0 hits and 5.0 required, why wasn't it spam?" Because the
score was REALLY 4.999 or some such, which is less than 5.0, but rounds to
5.0 in the display.
>tests=BAYES_50,
Bayes doesn't know if this is ham or spam. You should start training Bayes
to better recognize your mail. Read up on sa-learn. Bayes can help a great
deal when properly trained. In this case it did nothing.
HTML_10_20,
HTML_MESSAGE,
MIME_HTML_ONLY,
Standard rules with very slight positive scores
RAZOR2_CF_RANGE_51_100,
RAZOR2_CHECK,
You are running Razor, so are running net tests successfully. These checks
probably added much of the score for this spam.
> SARE_RECV_IP_218071,
Only ONE SARE rule hit. If this is really spam, this is moderately unusual,
unless you only have one or two of the SARE files set up.
SPF_HELO_PASS,
This might well be a negative scoring rule. Spam usually shouldn't be able
to get an SPF_PASS rating.
TW_GK,
This sounds like a local rule, but maybe its a stock rule I've never seen.
URIBL_SBL
Sender showed up in a block list. This added some positive points.
You can look up all of these rules in the *.cf files and see what their
scores are if you want. Just grep the files for the rule names shown in the
message of interest.
Without seeing the message in question, the only 'strange' things here are:
1. Why did it get SPF_PASS if it is spam?
2. Why did only one SARE rule hit?
3. Why isn't Bayes better trained for this kind of message.
Bayes training you have to do.
Possibly this mail really does only hit one SARE rule. Or possibly the
rules files are corrupt; --lint will tell you.
Can't tell anything about SPF_PASS without the original headers.
Loren
