On Fri, 26 Jul 2019 14:52:11 -0600 Amir Caspi wrote: > Hi all, > > In recent weeks I've been receiving many of my spams in doubles -- > essentially identical spam except for the faked From and the various > "Bayes poison" random text. I just got one such pair where > FSL_BULK_SIG fired on one spam, but not the other, even though their > content (except for the above exceptions) is essentially identical. > > Does FSL_BULK_SIG need to be tweaked? > > Spample 1 -- no hit: > https://pastebin.com/D4eBSgEj > > Spample 2 -- FSL_BULK_SIG hits: > https://pastebin.com/nN3rSjbV > > That one hit, plus the Razor update in the (literally) 15 seconds > between receipt of the two spams, was enough to properly bin the > second one. > > Thoughts? >
The rule requires one or more of DCC_CHECK, RAZOR2_CHECK and PYZOR_CHECK, The first hit none of these, the second hit RAZOR2_CHECK. Most of the difference in score came from RAZOR2_CHECK and RAZOR2_CF_RANGE_51_100 rather than FSL_BULK_SIG.
