From: Alex <mysqlstud...@gmail.com> >I also have a few questions about other rules that hit this email as >well as some other rules I've come across today that I don't >understand. Most of the questions relate to scoring appearing to be >very high for the single rule.
> * 1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) >This rule hits messages with an empty body. We receive a lot of mail >with invoices, PDF and other attachments with an empty body. Doesn't >1.4 points seem a little high just because there is nothing in the >body? I have this same problem and solve it with custom meta rules that shortcircuit as ham. Reputation-based rules mentioned yesterday also help with this to subtract points for trusted senders. > * 3.3 MSGID_NOFQDN1 Message-ID with no domain name >We also receive a lot of email from machine-generated systems that >don't follow all the rules. Doesn't this also seem high? Same as above. If the sender is hitting SPF_PASS or DKIM_VALID_AU, then add the envelope-from to a whitelist_auth list. > * 2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words >This one appears to happen on very simple messages. People send >legitimate emails with just "Dear customer, Please find attached a >copy of your invoice." and an attachment. As likely of a spam >indicator as it is, it also sends our legitimate messages to the >quarantine. Same as above. > * 1.5 SUBJ_ALL_CAPS Subject is all capitals >This is another that we see frequently with short subjects with just a >few capital letters and a date in legitimate email. As I've spent my >weekend going through the quarantine, I've noticed a significant >amount of legitimate mail being tagged with these rules. Same as above. Dave