Am 08.12.2015 um 14:37 schrieb Alex:
On Sun, Dec 6, 2015 at 11:41 PM, Marc Perkel
<supp...@junkemailfilter.com> wrote:
ixhashdnsbl CTYME_IXHASH ixhash.junkemailfilter.com.
body CTYME_IXHASH eval:check_ixhash('CTYME_IXHASH')
describe CTYME_IXHASH iXhash found @
ixhash.junkemailfilter.com
tflags CTYME_IXHASH net
score CTYME_IXHASH 5
Are all the messages here unsolicited? It appears they are not, but
that isn't what I was expecting.
There are messages from amazon, skype, harryanddavid, coldwatercreek,
etc.
not what i see here, maybe because skype/amazon and many others are
whitelist_auth and so sortcircuit here
we have 38 hits since yesterday evening
most are far above 15 points
that one would not have reached 8.0 without
Dec 8 09:31:45 mail-gw spamd[1339]: spamd: result: Y 9 -
BAYES_99,BAYES_999,HTML_MESSAGE,IXHASH_CHECK,JEF_IXHASH,RCVD_IN_MSPIKE_H2,SPF_SOFTFAIL,USER_IN_MORE_SPAM_TO
scantime=2.9,size=22641,user=sa-milt,uid=189,required_score=5.5,rhost=localhost,raddr=127.0.0.1,rport=/run/spamassassin/spamassassin.sock,mid=<21fc01d13192$d15a3030$740e9090$@search-marketing-services.com>,bayes=1.000000,autolearn=disabled,shortcircuit=no
To score this at 5 relies on bayes00 and pretty much no other spam
rules.
5 is too high
I suppose that could be the same as with DCC/razor, etc, but they're
scored more like 1.7 or even lower.
DCC flags *any* massmail spam or not, hence a no-go here
razor is supposed to work differentely
Suggestions for the best way to use this, and what to expect from it,
would be appreciated.
Any idea how much overlap there is with existing DCC/razor entries?
the idea of different digest-services is that when junk hits different
spamtraps and you have more than one hit score it higher than a
possible FP
below how we handle digest services while i renamed it to "JEF_IXHASH"
since we use also the DNSBL/DNSWL for postscreen and spamassassin
heavily and CTYME don't tell me much in logs :-)
the idea is give adaptive 0.5 points for every IXHASH-source, 1.5
points for IX_HASH in generel, means 2.0 points out to a maximum of
3.5 points for a message on all 4 sources
"DIGEST_MULTIPLE_LOCAL" replaces "DIGEST_MULTIPLE" and adds anothe 2.5
points if a message is on IXHASH+PYZOR, IXHASH+RAZOR, RAOZOR+PYZOR
given a well trained bayes with -3.5 for BAYES_00 and a milter-reject
of 8.0 in combination with all sorts of scored whitelists currently
that gives a nearly 100% hitrate with zero-to-no FP's
# remote hash services
use_pyzor 1
pyzor_path /usr/bin/pyzor
score PYZOR_CHECK 0.5
score RAZOR2_CHECK 0.5
score RAZOR2_CF_RANGE_51_100 0.5
score RAZOR2_CF_RANGE_E4_51_100 1.5
score RAZOR2_CF_RANGE_E8_51_100 2.0
score GENERIC_IXHASH 0.5
score NIXSPAM_IXHASH 0.5
score SEM_IXHASH 0.5
score JEF_IXHASH 0.5
ixhashdnsbl JEF_IXHASH ixhash.junkemailfilter.com.
body JEF_IXHASH eval:check_ixhash('JEF_IXHASH')
describe JEF_IXHASH DIGEST:
ixhash.junkemailfilter.com
describe GENERIC_IXHASH DIGEST: generic.ixhash.net
describe NIXSPAM_IXHASH DIGEST: ix.dnsbl.manitu.net
describe SEM_IXHASH DIGEST:
ixhash.spameatingmonkey.net
meta IXHASH_CHECK (GENERIC_IXHASH ||
NIXSPAM_IXHASH || SEM_IXHASH || JEF_IXHASH)
describe IXHASH_CHECK Message hits one ore more IXHASH
digest-sources
meta DIGEST_MULTIPLE_LOCAL RAZOR2_CHECK + DCC_CHECK +
PYZOR_CHECK + IXHASH_CHECK > 1
describe DIGEST_MULTIPLE_LOCAL Message hits more than one
network digest check (razor, pyzor, ixhash)
score DIGEST_MULTIPLE_LOCAL 2.5
score IXHASH_CHECK 1.5
score DIGEST_MULTIPLE 0
