On 2025-01-15 at 04:21:41 UTC-0500 (Wed, 15 Jan 2025 10:21:41 +0100)
Matus UHLAR - fantomas <uh...@fantomas.sk>
is rumored to have said:
Hello,
On 21.09.24 12:51, joe a wrote:
Noticed some obvious spam slipping in due in great part to this:
* -1.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [209.85.166.199 listed in wl.mailspike.net]
Not a big deal for my low volume SOHO, but it's annoying.
Has that check become unreliable? Sure, I can skip that check (I
think) or alter the score, but any other thoughts?
FYI:
199.166.85.209.in-addr.arpa domain name pointer
mail-il1-f199.google.com.
Which demonstrates the problem. Their H2 list includes highly mixed
sources.
I too have recently received multiple e-mails where sending server was
in MSPIKE_H2, pushing them under required_score limit.
many of them were in google and microsoft networks:
* -1.8 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [40.92.58.106 listed in wl.mailspike.net]
* -1.8 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [209.85.222.65 listed in wl.mailspike.net]
* -1.8 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
* [209.85.218.47 listed in wl.mailspike.net]
It seems that RCVD_IN_MSPIKE_H2 is the only one that produces
significant score:
50_scores.cf: score RCVD_IN_MSPIKE_ZBI 2.7
50_scores.cf: score RCVD_IN_MSPIKE_L5 2.5
50_scores.cf: score RCVD_IN_MSPIKE_L4 1.7
50_scores.cf: score RCVD_IN_MSPIKE_L3 0.9
50_scores.cf: score RCVD_IN_MSPIKE_H3 -0.01
50_scores.cf: score RCVD_IN_MSPIKE_H4 -0.01
50_scores.cf: score RCVD_IN_MSPIKE_H5 -1.0
50_scores.cf: score RCVD_IN_MSPIKE_BL 0.01
50_scores.cf: score RCVD_IN_MSPIKE_WL -0.01
72_scores.cf:score RCVD_IN_MSPIKE_BL 0.001 0.001
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_H2 0.001 -1.794
0.001 -1.794
72_scores.cf:score RCVD_IN_MSPIKE_H3 0.001 0.001
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_H4 0.001 0.001
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_H5 0.001 0.001
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_L2 0.001 0.001
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_L3 0.001 0.001
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_L4 0.001 0.001
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_L5 0.001 0.001
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_WL 0.001 0.001
0.001 0.001
72_scores.cf:score RCVD_IN_MSPIKE_ZBI 0.001 0.001
0.001 0.001
It is worth noting that the 72_scores.cf file is what the RuleQA process
produces. I haven't dug into the details, but it looks like Mailspike is
ONLY really useful at the H2 level.
Does it make sense to use this WL with this score?
That has to be a local question.
For the people going to the trouble of submitting human-classified ham
and spam results to RuleQA, RCVD_IN_MSPIKE_H2 was a fairly strong
indicator of non-spam. So it makes sense IF your mailstream looks a lot
like that of the submitters. Sadly, mailstreams vary a great deal, so
no individual site is likely to match the non-random sample that we have
access to.
I don't think the listing of behemoth sources as "good-ish" is wrong per
se, because many sites can show that they get more ham from GMail than
spam. MS is a somewhat different story, because they try to segregate
their suspect mail to a subset of output points. If your mail does not
include much GMail ham, it may make sense to set the scores locally.
E.g. I have:
/etc/mail/spamassassin/local.cf:score RCVD_IN_MSPIKE_H2 0.2
/etc/mail/spamassassin/local.cf:score RCVD_IN_MSPIKE_H3 0.1
Those are based on careful analysis a few years ago, so I can't even be
sure that they make sense for me today, but they certainly are not
causing visible trouble,
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
