>>> On 11/4/2012 at 8:34 AM, Martin Gregorie <mar...@gregorie.org> wrote: > On Sun, 2012-11-04 at 07:55 -0500, Joseph Acquisto wrote: >> >>> On 11/3/2012 at 9:15 PM, "Joseph Acquisto" <j...@j4computers.com> wrote: >> > Why do these score 0 ? >> > >> > http://pastebin.com/U4zFu8wk >> > http://pastebin.com/MV9KbnbU >> > I ran the second one through my testing SA system: it got hits from > several blacklists together with hits on RDNS_NONE and > UNPARSEABLE_RELAY:
I have RDNS_NONE 0, and UNPARSEABLE_RELAY 2. I understand 0 to mean "don't test", but don't get why it did not flag UNPARSEABLE_RELAY. > > RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL, > RCVD_IN_RP_RNBL,RCVD_IN_XBL,RDNS_NONE,UNPARSEABLE_RELAY,URIBL_AB_SURBL, > URIBL_BLACK,URIBL_DBL_SPAM,URIBL_SBL,URIBL_WS_SURBL I'd love to use RBL but understand I can't, as the "last IP" is always the same, as I fetch all mail from a single POP. Perhaps I am missing something? > though from the looks of it there's little else in its contents that > should trigger body rules. > > Have you considered greylisting? When my ISP turned it on my mail stream > immediately changed from 80% spam to 95%+ ham. > >> I had once asked about a rule that could specify a domain (to ban) in an > htlm link in the message body. >> I don't recall this being entirely successful. >> > You can try using the setup I developed to deal with a spam-ridden > mailing list that linked to a forum - the forum is trivially easy for > spammers to dump junk into, so they do. However, building this type of > SA rule can be like playing wack-a-mole until you start to recognise > patterns in the URLs/domain names/product names/phrases used and begin > to use a combination of broadly-matching regexes and meta-rules to get > an acceptable FP rate. > > This rule maintenance tool may help you to build and extend them: > http://www.libelle-systems.com/free/portmanteau/portmanteau.tgz > I'll give it a look. > Martin joe a.