On Sat, 2009-06-06 at 10:48 -0700, Rich Shepard wrote: > Now that the EMPTY_BODY and mis-identified spam issues have been resolved > I've countered a new one creating false positives: the rule (in > /etc/mail/spamassassin/Botnet.cf is:
This is a third-party plugin, deliberately installed by you. > describe BOTNET Relay might be a spambot or virusbot > header BOTNET eval:botnet() > score BOTNET 5.0 This is a custom score. Generally, consensus is that no single rule in SA should be able to single-handedly flag a mail as spam. That means, use a score lower than your required_score threshold. Yes, I do realize (IIRC) that it actually is the Botnet plugin default. However, it also offers a fine-grained scoring approach with more rules and lower scores each. With any custom rule-set, it's definitely the admins duty to score it appropriately, and to tune to their specific mail stream. After all, you already "tuned" SA by installing the rule-set in the first place. Given your previous thread, my advice is to seriously go through your entire custom settings, and carefully review them. > I've read Botnet.txt but I've no clue what to do to reduce the number of > false positives. I could include a specific example that came today from a > client via his Crackberry, if that would help. If it hits too often on ham for you, it isn't what you want. guenther -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}