Bayes Scores

Scott Silva ssilva at SGVWATER.COM
Fri Nov 18 19:21:23 GMT 2005


    [ The following text is in the "UTF-8" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Information Services spake the following on 11/17/2005 8:11 AM:
> I am running MailScanner-4.47.4-2 and SA 3.1.0 and RDJ with:
> 
> TRUSTED_RULESETS="TRIPWIRE ANTIDRUG EVILNUMBERS BLACKLIST_URI RANDOMVAL
> BOGUSVIRUS SARE_ADULT SARE_FRAUD SARE_BML SARE_RATWARE SARE_SPOOF
> SARE_BAYES_POISON_NXM SARE_OEM SARE_RANDOM SARE_HEADER_ABUSE
> SARE_SPECIFIC SARE_CODING_HTML SARE_GENLSUBJ SARE_UNSUB SARE_URI0
> SARE_REDIRECT_POST300"
> 
> Lately I have been noticed that my Bayes Scores seem to be letting spam
> through.  I have been seeing a lot of negative Bayes Scores on obvious
> spam.  I have read through the mailscanner archives, and have read that
> I should manually feed Bayes spam in order to get better results.   Not
> really sure on how to do this.  Also, I saw a post that said I should
> manipulate the Bayes scores, but the follow up post said it was a bad
> idea b/c it would mess up SA scores.  Here is a message that came
> through today that should have been tagged as spam, but as you can see
> from the log it was sent through clean.
> 
> Nov 17 09:00:50 wks-lin12 sendmail[1318]: jAHF0fQv001318: from=<oznydq at yeah.net <mailto:oznydq at yeah.net>>, size=1137, class=0, nrcpts=1, msgid=<
> BAY10-F236A1BA552DC2A6434D6D0B3200 at BoarderMail.com <mailto:BAY10-F236A1BA552DC2A6434D6D0B3200 at BoarderMail.com>>, proto=SMTP, daemon=MTA, relay=[222.69.251.4 <http://222.69.251.4>]
> Nov 17 09:00:53 wks-lin12 MailScanner[16837]: Saved archive copies of jAHF0krZ001312 jAHF0fQv001318 
> 
> Nov 17 09:01:06 wks-lin12 MailScanner[16837]: Message jAHF0fQv001318 from 222.69.251.4 <http://222.69.251.4> (oznydq at yeah.net <mailto:oznydq at yeah.net>) to lovebox.com
>  <http://lovebox.com> is not spam, SpamAssassin (score=-0.133, required 3, ALL_TRUSTED -1.80, BAYES_50 0.00, MSGID_FROM_MTA_HEADER 0.00, SARE_RECV_IP_222064 1.67) 
> 
> MailScanner log shows:
> 
> Header:
> 
> Return-Path: <�g>
> Received: from 67.64.17.166 <http://67.64.17.166> ([222.69.251.4
> <http://222.69.251.4>])
>      by mail.lovebox.com <http://mail.lovebox.com> (8.13.4/8.13.4) with
> SMTP id jAHF0fQv001318
>      for <llittle at lovebox.com <mailto:llittle at lovebox.com>>; Thu, 17 Nov
> 2005 09:00:47 -0600
> Return-Path: <AlexanderKing at BoarderMail.com
> <mailto:AlexanderKing at BoarderMail.com>>
> Received: from Bolt-fe3.Bolt.com <http://Bolt-fe3.Bolt.com>
> (mail.Bolt-fe3 [216.74.152.11 <http://216.74.152.11>])
>       by be3 (Cyrus v2.2.10) with LMTPA;
>       Thu, 17 Nov 2005 11:54:40 -0300
> X-Sieve: CMU Sieve 2.2
> Message-ID: <BAY10-F236A1BA552DC2A6434D6D0B3200 at BoarderMail.com
> <mailto:BAY10-F236A1BA552DC2A6434D6D0B3200 at BoarderMail.com>>
> Received: from 222.69.251.4 <http://222.69.251.4> by
> by10fd.bay10.BoarderMail.com <http://by10fd.bay10.BoarderMail.com> with
> HTTP;
>      Thu, 17 Nov 2005 16:00:40 +0100
> X-Originating-IP: [222.69.251.4 <http://222.69.251.4>]
> X-Originating-Email: [AlexanderKing at BoarderMail.com
> <mailto:AlexanderKing at BoarderMail.com>]
> X-Sender: AlexanderKing at BoarderMail.com
> <mailto:AlexanderKing at BoarderMail.com>
> From: "College Registration [Llittle]" <AlexanderKing at BoarderMail.com
> <mailto:AlexanderKing at BoarderMail.com>>
> To: llittle at lovebox.com <mailto:llittle at lovebox.com>
> Subject: Major Loop hole
> Date: Thu, 17 Nov 2005 16:52:40 +0200
> Mime-Version: 1.0
> Content-Type: text/plain
> 
> Spam Report
> -1.80    ALL_TRUSTED    Did not pass through any untrusted hosts
> 0.00    BAYES_50    Bayesian spam probability is 40 to 60%
> 0.00    MSGID_FROM_MTA_HEADER    Message-Id was added by a relay
> 1.67    SARE_RECV_IP_222064    Spam passed through possible spammer relay
> 
> So, how do I get Bayes to give more accurate scores, and if it is by
> manually feeding it spam, what do I need to do to accomplish this task? 
> 
> 
Your biggest problem is with the "ALL_TRUSTED" settings in spamassassin.
It subtracted 1.8 points because spamassassin is having problems
determining your local network configuration.
You either need to fix the configuration for spamassassin or set the
score to 0 until you can fix it.
Look at http://wiki.apache.org/spamassassin/TrustPath


-- 

/-----------------------\           |~~\_____/~~\__  |
| MailScanner; The best |___________ \N1____====== )-+
| protection on the net!|                   ~~~|/~~  |
\-----------------------/                      ()

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list