Bayes and spam increase?

Martin Hepworth martinh at SOLID-STATE-LOGIC.COM
Wed Feb 9 09:33:49 GMT 2005


Jeff

there's some good rules on www.rulesemporium.com than deal with bayes
posoining attacks...

I also use the following in my local.cf

## look for strings of randoms words with no punctuation..
rawbody  CP_RANDOMWORD_10
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){10}/
describe CP_RANDOMWORD_10       string of 10+ random words
score    CP_RANDOMWORD_10       0.5

rawbody  CP_RANDOMWORD_15
/(?:\b(?!(?:from|even|more|were|with)\b)[a-z]{4,12}\s+){15}/
describe CP_RANDOMWORD_15       string of 15+ random words
score    CP_RANDOMWORD_15       2.5

uri BAYES_BUSTER /rx359|2004hosting|530000X|openseed|er5hdh|quickforms/i
describe BAYES_BUSTER Trying to bypass BAYES
score BAYES_BUSTER 10.0



--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


Jeff A. Earickson wrote:
> This sounds like the "bayes poisoning" issue that has been discussed
> numerous times on this list.  I've kept the following in my
> spam.assassin.prefs.conf file:
>
> score BAYES_00 0 0 -0.05 -0.05
> score BAYES_01 0 0 -0.04 -0.04
> score BAYES_10 0 0 -0.03 -0.03
> score BAYES_20 0 0 -0.02 -0.02
> score BAYES_30 0 0 -0.01 -0.01
>
> I don't trust Bayes enough to let it substantially lower a score --
> only to increase a score.
>
> Jeff Earickson
> Colby College
>
> On Mon, 7 Feb 2005, Magda Hewryk wrote:
>
>> Date: Mon, 7 Feb 2005 13:22:41 -0500
>> From: Magda Hewryk <MHewryk at SYMCOR.COM>
>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: Bayes and spam increase?
>>
>> Yes, I've got a lot  untagged spam email on the weekend.  I found
>> BAYES_00
>> -2.60 attached to all of them.
>>
>>
>> Thanks,
>>
>> Magda
>>
>>
>>
>>             Matt Kettler
>>             <mkettler at EVI-INC
>>             .COM>                                                      To
>>             Sent by:                  MAILSCANNER at JISCMAIL.AC.UK
>>             MailScanner                                                cc
>>             mailing list
>>             <MAILSCANNER at JISC                                     Subject
>>             MAIL.AC.UK>               Re: Bayes and spam increase?
>>
>>
>>             02/07/2005 11:23
>>             AM
>>
>>
>>             Please respond to
>>                MailScanner
>>               mailing list
>>             <MAILSCANNER at JISC
>>                MAIL.AC.UK>
>>
>>
>>
>>
>>
>>
>> At 10:43 AM 2/7/2005, Fractal IT Dept. wrote:
>>
>>> Hi everyone!
>>>
>>> We've noticed an increase in the number of spam sneaking through with
>>> scores "just under" our threshold. After looking through the headers for
>>> these messages, I've noticed that bayes seems to have "no opinion" on
>>> the
>>> majority of these (ie. no bayes entry). Am I missing something? I
>>> thought
>>> bayes would score every message?
>>
>>
>> That's not entirely true, especially for the 2.6 series.. in 2.6x or
>> 2.5x,
>> In those any "no matches" or other 50/50 chance does not get a BAYES_
>> rule
>> match.
>>
>> Can you tell us what version of SpamAssassin you are using?
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list