slightly OT: how do i know if i've been poisoned? (Bayes)

[John Rudd]

Scott Silva wrote:
> Furnish, Trever G spake the following on 10/20/2006 2:00 PM:
>> Sorry, this is a bit long with some output from sa-learn --dump, but
>> it's probably just simple questions for someone here...
>>
>> Been running with the same Bayes database for a long time, but lately a
>> lot of uncaught messages that seem as though they ought to be caught
>> very effectively using Bayesian techniques have me wondering if I have a
>> problem with my Bayes database.
>>
>> To be honest I have quite a few questions related to SA's Bayes stuff
>> that I should have tracked down answers to sooner. :-(
>>
>> The messages that caused me to start looking are those that all end with
>> "You must to read".  I say it seems like they ought to be caught easily
> <snip>
> Have you thought about just making a custom rule to look for that phrase and
> add enough score to put it over the threshold without hurting if it fires by
> itself?
> Something like :
> 
> body BODY_CUSTOM_1         /You must to read/i
> describe BODY_CUSTOM_1             (LOCAL RULE) custom rule 1
> score BODY_CUSTOM_1                1.0
> Nudge the score enough to hit. If you score at 7 and these come in at 5.5 you
> could add 1.6 or so.
> 

So far, every one of these that I've received at work, had an 
end-customer relay type hostname for the relay.  I'm working on a set of 
  SA rules working against the untrusted relay pseudo-header, which 
looks like it would have caught every one of them.