From: Alex <mysqlstud...@gmail.com>

>I also have a few questions about other rules that hit this email as
>well as some other rules I've come across today that I don't
>understand. Most of the questions relate to scoring appearing to be
>very high for the single rule.

> *  1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)

>This rule hits messages with an empty body. We receive a lot of mail
>with invoices, PDF and other attachments with an empty body. Doesn't
>1.4 points seem a little high just because there is nothing in the
>body?

I have this same problem and solve it with custom meta rules that
shortcircuit as ham.  Reputation-based rules mentioned yesterday
also help with this to subtract points for trusted senders.

> *  3.3 MSGID_NOFQDN1 Message-ID with no domain name

>We also receive a lot of email from machine-generated systems that
>don't follow all the rules. Doesn't this also seem high?

Same as above.  If the sender is hitting SPF_PASS or DKIM_VALID_AU,
then add the envelope-from to a whitelist_auth list.

> *  2.1 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words

>This one appears to happen on very simple messages. People send
>legitimate emails with just "Dear customer, Please find attached a
>copy of your invoice." and an attachment. As likely of a spam
>indicator as it is, it also sends our legitimate messages to the
>quarantine.

Same as above.

> *  1.5 SUBJ_ALL_CAPS Subject is all capitals

>This is another that we see frequently with short subjects with just a
>few capital letters and a date in legitimate email. As I've spent my
>weekend going through the quarantine, I've noticed a significant
>amount of legitimate mail being tagged with these rules.

Same as above.

Dave

Reply via email to