Thank you Adam, I have been working hard in learning a lot of things about antispam rules and I appreciate all the inputs that the list is giving to me.
I use MailScanner to check on my emails and I have not yet found a way to train Bayes, I will check on that. On the mean time, I have learned not to check in "ALL" headers, I have redefined my first rules and now I have seen a better approach on what I am doing, still need a lot more input from experts, :) Regards, Sergio On Tue, Nov 29, 2011 at 2:21 PM, Adam Katz <antis...@khopis.com> wrote: > Summary for the impatient: > Do not write rules like this. > Instead, train Bayes, make sure you're using DNSBLs. > > On 11/25/2011 09:49 AM, Sergio wrote: > > I wrote all the HELO spammers that SA didn't caught > ... > > header CHARLY_RULE1 ALL =~ /(...)/i > > describe CHARLY_RULE1 Charly Spammers > > score CHARLY_RULE1 11 > > Given the description in your email, that should probably be: > > header CHARLY_RULE1 X-Spam-Relays-Untrusted =~ / helo=(?:...) /i > describe CHARLY_RULE1 A custom list of uncaught relay HELOs > score CHARLY_RULE1 4 > > You should be *very* careful about scoring any individual rule at or > above the spam flagging threshold (default is 5, do not lower). There > is almost always a better (and safer!) solution. > > > My concern is, is too much for just one rule or the rule can grow > > without limit? > > Let's just say you don't need to worry about that. We have several 150+ > character rules on SA's trunk and I've seen rules with regexp lengths in > the thousands (not that that's necessarily a good thing, but it does > work, albeit slowly). > > > Still, this seems like a really bad idea; one hammy HELO in there and > the whole thing starts hurting. I think you'll be *far* better served > by training bayes. > > You should also double check to ensure your DNS lookups are properly > configured and plugins like Razor are turned on. We don't have the best > of resources to walk you through this, but you can start with > http://wiki.apache.org/spamassassin/DnsBlocklists#Questions_And_Answers > >