double rules hits?

Fri, 30 May 2008 13:18:50 -0700 

I have been seeing several occasions where two rules hit for the same
underlying issue, and it seems that this isn't really desired.

Example 1: I got ham that had a line with

  dig [some.isp.name.].isphosts.junkemailfilter.com

in it.  It seems giving it 2.3 points for SPOOF_COM2COM is fair, but
that turns out to be 4.3 because SPOOF_COM2OTH gets 2.0.  This ended up
as a FP because I filter to spam folder at 1, preferring to misclassify
some list mail to keep my inbox as clean as I can.


X-Spam-Status: Yes, score=1.7 required=1.0 tests=AWL,BAYES_00,HTML_MESSAGE,
        SPOOF_COM2COM,SPOOF_COM2OTH autolearn=no version=3.2.4
X-Spam-Report: 
        *  2.0 SPOOF_COM2OTH URI: URI contains ".com" in middle
        *  2.3 SPOOF_COM2COM URI: URI contains ".com" in middle and end
        * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1%
        *      [score: 0.0000]
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  0.0 AWL AWL: From: address is in the auto white-list

Example 2: blacklists

Here, the mail is spam from a bad source, but with two lists more or
less claiming this it doesn't seem quite right to add the scores.  In
this case spamcop says the machine has sent spam, and spamhaus that it's
in XBL for being a compromised box.

X-Spam-Status: Yes, score=3.6 required=1.0 tests=AWL,BAYES_50,HTML_MESSAGE,
        RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL,RDNS_NONE autolearn=spam 
version=3.2.4
X-Spam-Report: 
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
        *      [score: 0.5676]
        *  4.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in 
bl.spamcop.net
        *      [Blocked - see <http://www.spamcop.net/bl.shtml?123.142.103.19>]
        *  3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
        *      [123.142.103.19 listed in zen.spamhaus.org]
        *  0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS
        * -3.6 AWL AWL: From: address is in the auto white-list



So, I realize this would be complicated, but I wonder about having a
score combining function for tests that are making essentially the same
claim.  Perhaps the 4 and 3 above should combine to 5, and the
SPOOF_COM2* should just be 2.3.

Reply via email to