Am 08.12.2015 um 14:37 schrieb Alex:
On Sun, Dec 6, 2015 at 11:41 PM, Marc Perkel <supp...@junkemailfilter.com> wrote:ixhashdnsbl CTYME_IXHASH ixhash.junkemailfilter.com. body CTYME_IXHASH eval:check_ixhash('CTYME_IXHASH') describe CTYME_IXHASH iXhash found @ ixhash.junkemailfilter.com tflags CTYME_IXHASH net score CTYME_IXHASH 5Are all the messages here unsolicited? It appears they are not, but that isn't what I was expecting. There are messages from amazon, skype, harryanddavid, coldwatercreek, etc.
not what i see here, maybe because skype/amazon and many others are whitelist_auth and so sortcircuit here
we have 38 hits since yesterday evening most are far above 15 points that one would not have reached 8.0 withoutDec 8 09:31:45 mail-gw spamd[1339]: spamd: result: Y 9 - BAYES_99,BAYES_999,HTML_MESSAGE,IXHASH_CHECK,JEF_IXHASH,RCVD_IN_MSPIKE_H2,SPF_SOFTFAIL,USER_IN_MORE_SPAM_TO scantime=2.9,size=22641,user=sa-milt,uid=189,required_score=5.5,rhost=localhost,raddr=127.0.0.1,rport=/run/spamassassin/spamassassin.sock,mid=<21fc01d13192$d15a3030$740e9090$@search-marketing-services.com>,bayes=1.000000,autolearn=disabled,shortcircuit=no
To score this at 5 relies on bayes00 and pretty much no other spam rules.
5 is too high
I suppose that could be the same as with DCC/razor, etc, but they're scored more like 1.7 or even lower.
DCC flags *any* massmail spam or not, hence a no-go here razor is supposed to work differentely
Suggestions for the best way to use this, and what to expect from it, would be appreciated. Any idea how much overlap there is with existing DCC/razor entries?
the idea of different digest-services is that when junk hits different spamtraps and you have more than one hit score it higher than a possible FP
below how we handle digest services while i renamed it to "JEF_IXHASH" since we use also the DNSBL/DNSWL for postscreen and spamassassin heavily and CTYME don't tell me much in logs :-)
the idea is give adaptive 0.5 points for every IXHASH-source, 1.5 points for IX_HASH in generel, means 2.0 points out to a maximum of 3.5 points for a message on all 4 sources
"DIGEST_MULTIPLE_LOCAL" replaces "DIGEST_MULTIPLE" and adds anothe 2.5 points if a message is on IXHASH+PYZOR, IXHASH+RAZOR, RAOZOR+PYZOR
given a well trained bayes with -3.5 for BAYES_00 and a milter-reject of 8.0 in combination with all sorts of scored whitelists currently that gives a nearly 100% hitrate with zero-to-no FP's
# remote hash services use_pyzor 1 pyzor_path /usr/bin/pyzor score PYZOR_CHECK 0.5 score RAZOR2_CHECK 0.5 score RAZOR2_CF_RANGE_51_100 0.5 score RAZOR2_CF_RANGE_E4_51_100 1.5 score RAZOR2_CF_RANGE_E8_51_100 2.0 score GENERIC_IXHASH 0.5 score NIXSPAM_IXHASH 0.5 score SEM_IXHASH 0.5 score JEF_IXHASH 0.5 ixhashdnsbl JEF_IXHASH ixhash.junkemailfilter.com. body JEF_IXHASH eval:check_ixhash('JEF_IXHASH') describe JEF_IXHASH DIGEST: ixhash.junkemailfilter.com describe GENERIC_IXHASH DIGEST: generic.ixhash.net describe NIXSPAM_IXHASH DIGEST: ix.dnsbl.manitu.net describe SEM_IXHASH DIGEST: ixhash.spameatingmonkey.netmeta IXHASH_CHECK (GENERIC_IXHASH || NIXSPAM_IXHASH || SEM_IXHASH || JEF_IXHASH) describe IXHASH_CHECK Message hits one ore more IXHASH digest-sources meta DIGEST_MULTIPLE_LOCAL RAZOR2_CHECK + DCC_CHECK + PYZOR_CHECK + IXHASH_CHECK > 1 describe DIGEST_MULTIPLE_LOCAL Message hits more than one network digest check (razor, pyzor, ixhash)
score DIGEST_MULTIPLE_LOCAL 2.5 score IXHASH_CHECK 1.5 score DIGEST_MULTIPLE 0
signature.asc
Description: OpenPGP digital signature