Doc for score explanations?

Matt Kettler mkettler at evi-inc.com
Mon Oct 16 21:45:12 IST 2006


Rob Morin wrote:
> Hello all... more and more recently i have been asked by clients why
> emails are getting marked as SPM. I tell them well maybe because of this
> and that, that use to work ok, but now they want to know why exactly an
> email was marked as spam... here is an example....
> 
> Oct 16 15:28:17 peter MailScanner[5660]: Message 1920269005F.5C45D from
> 207.99.47.70 (dplatt at domain2.com) to domain.com is spam, SpamAssassin
> (score=12.46, required 4, BAYES_60 1.00, FB_4WORD_DOLLARe 0.85,
> FB_SINGLE_0WORD 0.34, FB_SINGLE_1WORD 1.01, FB_WORD1_END_DOLLAR 1.39,
> FB_WORD2_END_DOLLAR 1.39, FB_WORD_01DOLLAR1 0.60, FM_MULTI_ODD2 1.10,
> FM_MULTI_ODD3 0.70, FM_MULTI_ODD4 0.70, FM_MULTI_ODD5 0.90,
> OBSCURED_EMAIL 2.10, UPPERCASE_50_75 0.37)
> 
> So what do i tell the client?  There must be some docs or list to read
> against to figure out why its getting marked as spam....


It got marked as spam largely because of your add-on rulesets.

Most of those FB_* rules come from
http://www.rulesemporium.com/rules/88_FVGT_body.cf

And the rest come from
http://www.rulesemporium.com/rules/99_FVGT_meta.cf


So perhaps a better question is, if you don't know already know exactly what
these rules do, why did you add them?

I'm quite well versed in SA, but I do not know what these sets do, other than
that Fred Tarasevicius wrote them.

I can tell you from looking at the rulefiles:

FB_SINGLE_1WORD appears to look for a shortish word (8 chars max) with a 1
roughly in the middle.

FB_SINGLE_0WORD is similar, but looks for a 0, allows $ signs in the second
half, and has a 7 character limit.

FB_4WORD_DOLLARe appears to look for a word (13 chars max) with a dollar-sign in
the middle, but excludes Micro$oft.

My guess is this ruleset would tear the hell out of any email with programmer's
source code in it, or anything containing lots of mixed alphanumeric "id"
strings. (ie: reports using a lot of abbreviations)

A default SA install would have ranked this with a score of 3.47 (BAYES_60 1.00,
OBSCURED_EMAIL 2.10, UPPERCASE_50_75 0.37)



> Did i confuse anyone?
> p.s. the original domain name has been change to conceal the innocent
> :)
> 
> 



More information about the MailScanner mailing list