Hi Kevin, Here are some spamples -- I've specifically chosen the ones that did NOT score enough through other means to get tagged, i.e., these are false negatives. Note that many of them have valid DKIM and hit no other markers. (The spample will NOT pass DKIM because headers have been modified for anonymity.) If you run them through NOW you'll probably find they hit Razor and Pyzor and various other things... but they clearly didn't at the time of receipt. Most of them score 4.6 unless they manage to have enough Bayes "poison" to score lower. (And I STILL don't know how they keep hitting only BAYES_50...)
https://pastebin.com/BQH3JgWD https://pastebin.com/nXtZtUdm https://pastebin.com/tBQt1Raw https://pastebin.com/wEGvcs73 https://pastebin.com/nuFJ48k0 https://pastebin.com/ykCuEPNQ ** This last one I received from two different servers within a minute of each other. The first one got nailed by SPFBL so it got marked as spam, but only because the combo of SPFBL (2.2) and local BOGUS_MIME_VERSION (4.0) pushed it over threshold. This spample, the second of the two, didn't get nailed because the relay wasn't in SPFBL, so BOGUS_MIME_VERSION wasn't enough by itself at a score of 4.0, although it WOULD have been enough at a score of 4.5. I should also mention I've seen at least a few recent ones that hit Mailscanner's "Eudora long-MIME-boundary attack" rule. I'm not including those as spamples since they got sanitized by MailScanner so aren't useful, but I figured it was worth mentioning. My feeling is that BOGUS_MIME_VERSION is incredibly useful during the early hits of snowshoers, before the RBLs, URIBLs, and content hash DBs can catch up. Since it would seem to be 100% spam and 0% ham, I think scoring it very highly (4+ points) would be both safe and useful -- it will help nix these early hits but won't hinder anything else. From my experience and these spamples, where most of them are scoring 4.6 (with 4.0 of that from BOGUS_MIME_VERSION), an optimal score would be in the range of 4.5 to 4.9 ... that would push these 4.6s to 5.1 or higher. I've got MANY other examples in the Junk folders on my server, and I would be happy to send them to you privately if needed. Cheers. --- Amir On May 30, 2019, at 9:24 AM, Kevin A. McGrail <kmcgr...@apache.org> wrote: > > Fair enough. Happy to look at spamples but I've seen virtually nothing in > the wild for this.
