Hi, On Mon, May 1, 2017 at 8:44 AM, David Jones <djo...@ena.com> wrote: > From: Alex <mysqlstud...@gmail.com> > >>I also have a few questions about other rules that hit this email as >>well as some other rules I've come across today that I don't >>understand. Most of the questions relate to scoring appearing to be >>very high for the single rule. > >> * 1.4 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/) > >>This rule hits messages with an empty body. We receive a lot of mail >>with invoices, PDF and other attachments with an empty body. Doesn't >>1.4 points seem a little high just because there is nothing in the >>body? > > I have this same problem and solve it with custom meta rules that > shortcircuit as ham. Reputation-based rules mentioned yesterday > also help with this to subtract points for trusted senders.
You seem a lot less reluctant to whitelist or shortcircuit than I am - I'm more concerned about allowing PDF spam, then never knowing about it until it's reported by a user. I've taken a more conservative, but also more time-consuming approach by creating rules that subtract a few points with the right combination. I was also hoping there was a more general approach that would make these rules with such high scores less prone to FPs in the first place, or at least create a greater burden by default before adding such high scores to rules involving just a regex. >> * 3.3 MSGID_NOFQDN1 Message-ID with no domain name This one catches even automated reports generated by HP to many of our users, as well as a common email fax service. They just don't consider proper RFC compliance in their shell scripts, and to basically turn it into spam just for that is unreasonable. Also unfortunately, they don't comply with SPF or DKIM conventions, and one might argue simply passing SPF_PASS isn't sufficient for a meta rule before whitelisting.
