slightly OT: how do i know if i've been poisoned? (Bayes)

Furnish, Trever G TGFurnish at herffjones.com
Mon Oct 23 21:55:56 IST 2006 

 

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of Scott Silva
> Sent: Monday, October 23, 2006 12:42 PM
> Subject: Re: slightly OT: how do i know if i've been poisoned? (Bayes)
> 
> > The messages that caused me to start looking are those that all end 
> > with "You must to read".  I say it seems like they ought to 
> be caught 
> > easily
> <snip>
> Have you thought about just making a custom rule to look for 
> that phrase and add enough score to put it over the threshold 
> without hurting if it fires by itself?
> Something like :
> 
> body BODY_CUSTOM_1         /You must to read/i
> describe BODY_CUSTOM_1             (LOCAL RULE) custom rule 1
> score BODY_CUSTOM_1                1.0
> Nudge the score enough to hit. If you score at 7 and these 
> come in at 5.5 you could add 1.6 or so.

Actually, I ended up doing just that (except I scored it a 10 :-) ).
Just noticed John Rudd's comment about the "untrusted relay
pseudo-header" too -- I'll have a look, time-permitting, and see if that
triggered on all of mine as well.

> MailScanner is like deodorant...
> You hope everybody uses it, and
> you notice quickly if they don't!!!!

How timely.  Over the weekend I had an unusual problem where the bayes
database was causing spamassassin to time out almost ever time, which
had the result of causing all mail to be delivered.  Problem started
Friday night, I didn't notice till Sunday night, and in the meantime
2500 mailboxes went without protection.  Suffice to say, people noticed
very quickly this morning that they'd had no spam filtering over the
weekend. :-/  I wiped the bayes db and started over by learning on
archived spam and ham, and suddenly my catch rate has improved
drasticly, along with performance.

Hmmm...wonder if I can code up a nagios check based on the rate of spam
detection and trigger an alert if the message flow is over X messages
per minute while the spam percentage is under Y.  My system only handles
inbound mail and that's usually 95% spam...  That'll go on my to-do
list.

More information about the MailScanner mailing list