On 3/29/2011 2:14 PM, Max wrote: > For a while we were getting spam messages that had images embedded as > text and not an attachment. Those are marked as spam but couldn't the > random characters of the image data increase the entropy of the > database and cause some less than definitive scores? > > That aside. It seems like all my ham is bellow 0 so would changing the > cut off to something like 2.0 be bad practice?
Definitely. All of the stock SA rule scores are designed to flag spam at 5 points. If you go significantly lower than that, you start running the risk of false positives and messages being marked as spam due to single rules (which is usually a bad thing). > > On 03/29/2011 01:06 PM, Max wrote: >> On occasions we will train the .Junk folder and others using sa-learn. >> Also here is an example of spam as requested >> http://www.nomorepasting.com/getpaste.php?pasteid=36037 > That spam scores pretty high for me: X-Spam-Status: Yes, score=11.8 required=5.0 tests=FB_THIS_ADVERT,NO_RECEIVED, NO_RELAYS,RAZOR2_CF_RANGE_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK, URIBL_DBL_SPAM,URIBL_JP_SURBL autolearn=no version=3.3.1 X-Spam-Report: * 1.7 URIBL_DBL_SPAM Contains an URL listed in the DBL blocklist * [URIs: dailynewdesign.com] * 1.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: dailynewdesign.com] * -0.0 NO_RELAYS Informational: message was not relayed via SMTP * 3.6 FB_THIS_ADVERT BODY: Phrase: this advertiser * 1.7 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) * 2.4 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level * above 50% * [cf: 100] * 0.4 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50% * [cf: 100] * -0.0 NO_RECEIVED Informational: message has no Received headers Granted, most of the hits are network rules... Do you have the network rules active? Are you using Razor or Pyzor? -- Bowie