On Sat, 12 Dec 2015, Sebastian Arcus wrote:
On 12/12/15 18:21, John Hardin wrote:
On Sat, 12 Dec 2015, Sebastian Arcus wrote:
> One of my servers received a spam message which SA missed, with the
> following report:
>
> -0.4 AWL AWL: Adjusted score from AWL reputation of
> From: address
>
> After learning the messages as spam into bayes with sa-learn, I get the
> following report:
>
> -6.1 AWL AWL: Adjusted score from AWL reputation of
> From: address
>
>
> Luckily the message is now flagged as spam because I have manually
> turned up the score on my BAYES_99 and BAYES_999 awhile ago. But what
> intrigues me is that now the AWL module gives it a -6.1 score. Why would
> AWL now tilt things heavily towards ham, after the message has just been
> learned as spam? It seems to be making things worse instead of better.
> Unless I am misunderstanding what AWL is supposed to be doing?
You are. The name is misleading. AWL is more a score averager than a
whitelist. It's intended to allow for the occasionally spammy-looking
email from a historically hammy sender (and vice versa).
It has nothing to do with training, which only affect Bayes.
Messages from that sender will get negative AWL scores for a while until
their traffic history becomes more on the "spam" side.
OK - that's kind of what I assumed. What I don't understand is why the AWL
score changes after the message has been learned into the Bayes database -
and by so much?
It's not that you trained it into Bayes, but that SA had previously only
seen email from that source address that was scored as ham. I'm assuming
that's the first message you got from that source address? So their entire
AWL history is 100% hammy based on the original FN.
You scan the message again, it scores as spammy now for whatever reason;
SA checks the AWL history for that sender address and sees "100% hammy"
and generates a partially-ofsetting negative score.
As that sender's AWL history shifts from "100% hammy" towards "99% spammy"
(assuming you ever get mail from that address again) the offsetting score
will head towards zero. I don't *think* AWL will generate positive scores
for spams from a historically spammy sender (i.e. I think AWL is purely to
offset the raw score for anomalies), so you should see AWL scores stop
once their history is "mostly spammy".
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If you are "fighting for social justice," then you are defining
yourself as someone who considers regular old everyday
*equal* justice to be something you don't want. -- GOF at TSM
-----------------------------------------------------------------------
3 days until Bill of Rights day
