false positives on rule "FM_RATSIGN_1106" and what to do?
Scott Silva
ssilva at sgvwater.com
Tue May 29 22:23:52 IST 2007
Hugo van der Kooij spake the following on 5/29/2007 1:11 PM:
> On Tue, 29 May 2007, Scott Silva wrote:
>
>> Chris Yuzik spake the following on 5/29/2007 12:30 PM:
>>> Hi,
>>>
>>> Suddenly, I'm seeing quite a number of false positives on the rule
>>> "FM_RATSIGN_1106" that gets a whopping 3.8 points. I've tried to figure
>>> out what exactly it's hitting on, but the only thing I found was:
>>>
>>> ##{ FM_RATSIGN_1106
>>> meta FM_RATSIGN_1106 (__MSGID_VGA && __DATE_700)
>>> describe FM_RATSIGN_1106 Fingerprint seen in lots of spam. 11/2006
>>> ##} FM_RATSIGN_1106
>>>
>>> I think I need to set this rule down to 0.01 for now, or does someone
>>> have a better suggestion?
>>>
>>> Thanks
>>>
>> It looks at messages that hit both MSGID_VGA and DATE_700
>> Message-ID =~ /^<000001c[67]/ and date is -7 hours
>
> Just out of curiosity. What is the significance of this particular
> message ID or this difference in timezones? I have to admit I get a
> shitload of spam from the USA and some of the US states are -7 hours
> from my timezone. But I fail to see the logic of this construct at the
> moment.
>
> Hugo.
>
I didn't write the rule, and have no idea what it is trying to do. I just
grep'd through the rules and read the results.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
More information about the MailScanner
mailing list