Spamassassin timeouts - Just an observation

Martin Hepworth maxsec at gmail.com
Mon Jan 19 14:00:18 GMT 2009


I'd also check the old SARE rules (like the blacklist one) aren't
being used anymore. These were replaced by the URI RBLs as they were
huge.

--
martin

2009/1/19 Kai Schaetzl <maillists at conactive.com>:
> Gareth wrote on Mon, 19 Jan 2009 12:01:56 +0000:
>
>> I checked our system as we use virtually all of the sare rules.
>> These are the top 2 usefull rules (some match as much spam as ham so I
>> have ignored them).
>>
>> SARE_HTML_USL_OBFU 422 11 2.6 411 97.4
>> SARE_BOUNDARY_LC 408 2 0.5 406 99.5
>>
>> So the top rule catches 411 out of 24000 spams (last 3 months) which is
>> 1.7%. Given thats the two best rules its showing that SARE has become
>> very little benefit for us.
>
> Interesting if compared to my hits, see below.
>
> First a word of caution. Although I'm with you that the SARE rules don't
> provide too much benefit nowadays one needs to be cautious to just go by
> the "top" hitters. Using that same "algorithm" one would probably have to
> throw out 90% of the stock/updated SA rules as well ;-) The strength of SA
> lies also in the fact that it has so many rules for so many diverse spam
> schemes. It's obvious that most of these rules won't ever exceed 1% of
> hits or so, but they still add value.
> But I think that many of the SARE rules are either obsolete or have been
> incorporated in the main SA rules in some way, so that their value in
> addition to the main rules is much lower than it used to be.
> The most effective way of using SARE today would probably be to have an
> excerpt of, say, 50 of the top rules in one file/channel.
>
> Now, to what I called "interesting" first.
>
> SARE_HTML_USL_OBFU hit exactly 10 of some 15.000 spam messages on the
> machine I checked
> SARE_BOUNDARY_LC didn't hit any, either I didn't have it in my rules or it
> really didn't hit any.
>
> Seems I have completely different spam than you get, which is not so much
> a surprise ;-)
>
> The ones (of the top 100 rules) that hit for me are:
> SARE_HEAD_8BIT_SPAM hit nearly 10% of spam
> SARE_HTML_A_BODY hit about 3% of spam
> SARE_HTML_IMG_ONLY
> SARE_GIF_ATTACH good portion of FPs
> SARE_MSGID_LONG40 all FPs it seems
> SARE_ADULT2
> SARE_SPEC_ROLEX
> SARE_RAND_2J
> SARE_SPEC_REPLICA_OBFU
> SARE_HEAD_HDR_XSPAMTST
>
> These ten are among the top 100 hitting rules. Means 10% of the rules that
> hit in the top 100 are SARE, or, 90% are not ;-)
>
> Kai
>
> --
> Kai Schätzl, Berlin, Germany
> Get your web at Conactive Internet Services: http://www.conactive.com
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>



-- 
Martin Hepworth
Oxford, UK


More information about the MailScanner mailing list