On 30 Mar 2005 at 15:27, Matthew Lenz wrote: <snip> > here is an example of the headers from an spam that wasn't caught
> X-Spam-Status: No, score=4.1 required=5.0 tests=BAYES_99,HTML_80_90, > HTML_FONT_BIG,HTML_MESSAGE,HTML_TITLE_EMPTY,MIME_HTML_ONLY, > MSGID_FROM_MTA_ID autolearn=no version=3.0.2 > Ideas where to start (other than having her change her email address > hehe) The first thing I did upon installing SA 3.x and running it for a few days was to restore some sanity to the BAYES_* scores. The GA has a tendency to tune down the scores assigned for extreme bayes results because they tend to cluster with other positive tests (like SURBLs). That has the unfortunate side effect that when a message comes through which for whatever reason fails to trigger much besides BAYES_99 (as your example false-positive did), then the assigned score will be lower than it should be if you trust bayes, which you should be *more* inclined to do for the extreme cases than not. The default 3.x scores are as follows: score BAYES_00 0 0 -1.665 -2.599 score BAYES_05 0 0 -0.925 -0.413 score BAYES_20 0 0 -0.730 -1.951 score BAYES_40 0 0 -0.276 -1.096 score BAYES_50 0 0 1.567 0.001 score BAYES_60 0 0 3.515 0.372 score BAYES_80 0 0 3.608 2.087 score BAYES_95 0 0 3.514 2.063 score BAYES_99 0 0 4.070 1.886 Notice that for the fourth column (bayes + network tests enabled) BAYES_99 actually scores *lower* than BAYES_80! I've added the following lines into my local spamassassin configuration, based on the scores from SA 2.6x and my own experience: score BAYES_00 0 0 -4.901 -4.900 score BAYES_05 0 0 -0.925 -2.599 score BAYES_20 0 0 -0.730 -1.951 score BAYES_40 0 0 -0.276 -1.096 score BAYES_50 0 0 1.567 0.001 score BAYES_60 0 0 3.515 1.592 score BAYES_80 0 0 3.608 2.087 score BAYES_95 0 0 3.514 3.514 score BAYES_99 0 0 4.070 5.400 Making this single change would have caught your sample false positive based solely on the BAYES_99 result. ---- Nels Lindquist <*> Information Systems Manager Morningstar Air Express Inc.
