> for some reason the spam sample at > http://wolfgang.remsnet.de/medspam.txt > is only classified by html rules, and by various dns tests, > but the common drugs and human body part rules missed it. > Anyone would have an idea why this is so? > > I am running 3.0.4 default rules, plus a few SARE ones
Caveat again: I am not a real expert (yet): First, the mail is short so there is less for SpamAssassin to work with, Bayes for instance doesn't kick in for either of us; and you don't seem to be running many network tests if that is all you hit. My score is 29.2 but would only be 4.5 without the network tests. Now, I probably overkill the net tests (RBLs, Pyzor, DCC, Razor, and URIBLs). I will not block directly on any blacklist but I love using them as way to drive the score very high. (Currently I am very pleased with an email server where I am testing using blacklists to DRIVE greylisting tests in front of SpamAssassin -- even if the mail is passed on, the blacklist lookups will all be in the local DNS cache by the time SA runs so it doesn't cost much to do this. The greylisting doesn't show here, but I am planning to try using SpamAssassin to also drive the greylisting -- if spammers have to resend few will do so and it is a LOT safer than auto-deleting high score spam. X-Spam-Status: Yes, score=29.2 required=6.0 tests=BODY_ENHANCEMENT2, DIGEST_MULTIPLE,FB_HARD_ERECTION,HELO_DYNAMIC_IPADDR2,HM_URIBL_SC2_XS, HM_URIBL_SC_DBL,HM_URIBL_SC_XS,HTML_30_40,HTML_MESSAGE,INFO_TLD, MIME_HTML_ONLY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100, RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, SARE_SUB_BREAKTHRU,URIBL_AB_SURBL,URIBL_BLACK,URIBL_BLOK_MPRHS, URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC2_SURBL, URIBL_SC_SURBL,URIBL_WS_SURBL,URIBL_XS_SURBL, DIGEST_MULTIPLE, HM_URIBL_SC_DBL, HM_URIBL_SC_XS -- last 2 rules are actually -3.5 & -2.5 = -6 ------ Rules with HM_prefix are my own, the rest are all either stock or probably from SARE (I have about everything available from SARE including aggressive (Ham hitters) but NOT including those that "hit nothing but seem cool".) Scores are down below. As for HTML, I have such rules at the default which are near zero. As to overkill (I worry most about getting the same result, and same false positives from multiple sources -- i.e., for basically the same reason) so I have started writing some negative rules, e.g, where scores are X=2, Y=2, and X && Y = -1 (total 3 instead of 4) to increase the confidence with multiple hits, but not score the complete score for both rules. But so far, I just don't get many false positives due to my aggressive net scoring. (I whitelist very little now -- mostly just lists like this where the conversation is inherently spammy, or things like the X10 newsletter which I just happen to like viewing AND did request originally.) Here are the scores: * 0.3 SARE_SUB_BREAKTHRU subject has likely spammer phrase or word * 0.8 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious hostname (IP * addr 2) * 0.6 FB_HARD_ERECTION BODY: FB_HARD_ERECTION * 0.8 BODY_ENHANCEMENT2 BODY: Information on getting larger body parts * 0.5 INFO_TLD URI: Contains an URL in the INFO top-level domain * 0.1 HTML_30_40 BODY: Message is 30% to 40% HTML * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level * above 50% * [cf: 100] * 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level * above 50% * [cf: 60] * 2.0 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 100] * 2.0 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) * 0.6 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: jjplanularch.info] * 2.5 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: jjplanularch.info] * 4.0 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist * [URIs: jjplanularch.info] * 2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist * [URIs: jjplanularch.info] * 2.0 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: jjplanularch.info] * 2.5 URIBL_BLOK_MPRHS Contains URL from MailPolice BLOCK Combined list * [URIs: jjplanularch.info] * 1.0 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: jjplanularch.info] * 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist * [URIs: jjplanularch.info] * 3.0 URIBL_XS_SURBL Has URI in XS - Testing * [URIs: jjplanularch.info] * 4.0 URIBL_SC2_SURBL Has URI in SC2 at http://www.surbl.org/lists.html * [URIs: jjplanularch.info] * 1.0 DIGEST_MULTIPLE Message hits more than one network digest check * -3.5 HM_URIBL_SC_DBL Prevent SC-SC2 double score * -2.5 HM_URIBL_SC_XS Prevent SC-XS double score -- Herb Martin