I lost track of checking my spam folders recently for almost a week (I filter to a maybe-spam folder on scores that are lower than what doctrine says, splitting into really-ham, iffy, and really-spam -- it was the iffy I didn't look at). On checking, I refiled a bunch of ham that had from 2 to 6 points. There was much more of this than normal, at all scores.
There are lots of reasons for the scores, some of which is just how it is (MIME HTML with no HTML tag), and rDNS lookup failures on google MTAs. But one thing jumped out at me: a fair number of RCVD_IN_SORBS_NR_SPAM hits, including for yahoo servers. It seems to me a bit much to apply that and 2.5 points for MTAs from freemails that have mostly ham and some spam -- that's what 1 point for FREEMAIL_FROM is for. As usual, I look up rules that hit on my ham and think about changing the score, but I can't find it. So: was this rule in trunk or KAM, and was it withdrawn in the last week? Perhaps because of listing yahoo and maybe others? I didn't find anything about this on the users list. The other problem on a small number of messages was RCVD_DOTEDU_SHORT. I realize this must have passed masscheck, but getting a message of 1-1.5 kB from an address in .edu is to me not at all suspicious, and 2.5 points is a lot for something likely to appear in legitimate mail. (In my case it was a notification of air conditioning shutdown in a particular building, and that's all there was to say.) Thanks, Greg
signature.asc
Description: PGP signature