Owen Mehegan wrote: > Posted this to the wrong/no list (via Nabble) yesterday... > > I've seen an uptick in false negatives lately, and the spam that is getting > through is all the same stuff repeatedly. If anyone would be willing to run > these samples through their filters and let me know if they get better > hits, I would appreciate it. There are three at > http://nerdnetworks.org/spam/
(spam4.txt is inaccessible) I notice URIBL_BLOCKED hits; check that you're either using your own resolver with less than 100K messages/day, or that you're properly set up for datafeed. Or just disable the uribl.com rules. (We found that while they were usefully increasing our overall catch rate, the increase was not worth the cost of the datafeed [it came out to somewhere between one and five dollars a spam for the ones that the uribl.com hit was key in getting the message tagged], so we disabled the rules.) Beyond that.... I've started creating very simple rules targeting the Subject and From: name in this type of spam, along with extracting the relay IP and URIs for local DNSBLs. It's moderately effective once I've confirmed enough volume for any given Subject or name to feel it's worth creating a rule... -kgd