small spam score

Matt Kettler mkettler at EVI-INC.COM
Thu Feb 10 21:19:57 GMT 2005 

At 04:00 PM 2/10/2005, David Curtis wrote:
>I am still playing with spam scores. I had this e-mail make it through.
>The score is correct but I would consider this spam. I would think that
>an e-mail like this would make a higher score. Any advice would be
>welcome.
>
>SpamCheck: not spam, SpamAssassin (score=3.214,
>         required 4.5, BAYES_00 0.60, HTML_30_40 0.02, HTML_MESSAGE
>0.00,
>         MIME_QP_LONG_LINE 0.34, MISSING_MIMEOLE 0.01,
>         RCVD_IN_BSP_TRUSTED 2.22, TO_ADDRESS_EQ_REAL 0.03)

Really, everything in that header would suggest the message should be very
strong non-spam.

Is your system heavily corrupted?

RCVD_IN_BSP_TRUSTED should have a negative score as it is a whitelist of
legitimate mailers who are willing to pay cash if their subscribers
complain to bonded sender about spamming.

BAYES_00 should have a negative score.

1) are you positive it really is spam? It really looks like a legitimate
subscriber-only newsletter to me. If it really is spam, file an abuse
complaint with BondedSender.com right away. (see "report abuse" all the way
at the bottom of the left column on their website.) Why is your BSP_TRUSTED
rule set to a positive score anyway? Have you had frequent FP problems here
and set it positive as a reaction? Is your trusted_networks set correctly?

2) If it really is spam, why is it hitting BAYES_00.. is your bayes DB
corrupt or mistrained? It looks like someone hand over-rode it to a
positive score.. If you're having to do something that extreme to avoid
large numbers of FNs, you've got big problems in your bayes DB and you
should consider just turning it off entirely, or wiping and starting fresh.

You might also want to consider modifying the
bayes_auto_learn_threshold_nonspam to something lower than the default.
 From the looks of how you've scored BAYES_00 you've got poisoning problems.


You really should not be seeing either BSP_TRUSTED or BAYES_00 in spam
aside from a rare few. If these are common in spam, you may need to do some
more detailed examination of your setup.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list