On Apr 26, 2019, at 4:51 PM, RW <rwmailli...@googlemail.com> wrote: > > header BOGUS_MIME_VERSION MIME-Version =~ /^(?!\s*1\.0).+/ > > it may be better to change that to > > /^(?!.*\b1\.0\b).+/ > > to avoid punishing the form > > Mime-Version: (Nosuch Mail 2.0) 1.0 > > which is valid, though I don't think I've ever seen it (comments are > usually on the right).
John, so many of my spams are hitting BOGUS_MIME_VERSION that I would imagine it's worth sandboxing and incorporating into the primary ruleset. AFAICT literally zero of my ham hits this rule, while MOST of my current spam does (667 of 869 messages received in the past 30 days to my personal inbox alone). This would seem to be a pretty good poison pill, and although I imagine you may not want poison pills within the primary ruleset, maybe it'll score high enough (like BAYES_99) that it'll push even otherwise-low-scoring spam over. The reason I'm bringing this up again is that I still get a bunch of spam that hits BAYES_50 and doesn't have enough other spammy markers -- too early to have been caught by URIBLs and very few, if any, other content-rule hits -- but does hit BOGUS_MIME_VERSION. But my local score for this is (currently) only 3.0, so these spams get missed. Many of these spams are also DKIM_VALID_AU/EF, so I wonder if that would be a good meta. I don't know why they're hitting BAYES_50 rather than higher (I train my DB pretty well... but this makes me doubt that!), nor why they don't hit any other content rules... they're trying to obfuscate by encoding the spammiest words using HTML entities but I thought that was taken care of via normalize_charset... Happy to provide some spamples if you need them. Locally I'll probably increase this marker to a score of 4.0 or possibly even 4.5, since (at least for me) it hits literally zero of my hams (out of 4800+ messages currently in my inbox and another 1100+ hams in my trash -- the latter is only from the past 30 days). [ETA: I actually increased to 4.0 a couple of days ago and it's helped, but some still slip by. I think 4.5 might be a better value.] Thanks! --- Amir
