On Sat, 2009-06-06 at 10:48 -0700, Rich Shepard wrote:
> Now that the EMPTY_BODY and mis-identified spam issues have been resolved
> I've countered a new one creating false positives: the rule (in
> /etc/mail/spamassassin/Botnet.cf is:
This is a third-party plugin, deliberately installed by you.
> describe BOTNET Relay might be a spambot or virusbot
> header BOTNET eval:botnet()
> score BOTNET 5.0
This is a custom score. Generally, consensus is that no single rule in
SA should be able to single-handedly flag a mail as spam. That means,
use a score lower than your required_score threshold.
Yes, I do realize (IIRC) that it actually is the Botnet plugin default.
However, it also offers a fine-grained scoring approach with more rules
and lower scores each.
With any custom rule-set, it's definitely the admins duty to score it
appropriately, and to tune to their specific mail stream. After all, you
already "tuned" SA by installing the rule-set in the first place.
Given your previous thread, my advice is to seriously go through your
entire custom settings, and carefully review them.
> I've read Botnet.txt but I've no clue what to do to reduce the number of
> false positives. I could include a specific example that came today from a
> client via his Crackberry, if that would help.
If it hits too often on ham for you, it isn't what you want.
guenther
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
