My guess, without looking at the rules in question, is simply that a smarter
spammer played around until he found two specific mis-spellings that would
not be caught by the obfuscated drugs and body parts tests, and then used
those and only those two.
The solution here is going to be to fix up some new rules or modified rules
to catch those two specific misspellings and add them to the rules.
Also, you are not the first to be burned by body_enhancement being set to
zero in the net tests. I have no earthly understanding of why the scoring
run decided to do this, but the obvious solution is to give it at least some
non-zero score in the net test column.
Loren
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <users@spamassassin.apache.org>
Sent: Sunday, July 31, 2005 3:08 AM
Subject: RE: unwanted breakthrough
>
>
> Hi Herb,
>
> thanks for the quick reply. I am not really concerned about the lack of
dns result
> (when I retest this, I get ample points from various dns sources)
> Maybe it was really brand new when I received it, or I might have had a
temporary
> network glitch. (I am in fact running on ADSL, with a forced disconnect
every 24 hours)
>
> The thing that worries me is that I did not see anything like
DRUGS_ERECTILE
> (which is missing from your set too) or BODY_ENHANCEMENT.
> Looking over the scores, BODY_ENH seems to score 0 when network tests are
enabled,
> so it would miss during network problems
>
> Wolfgang Hamann
>
> >> > for some reason the spam sample at
> >> > http://wolfgang.remsnet.de/medspam.txt
> >> > is only classified by html rules, and by various dns tests,
> >> > but the common drugs and human body part rules missed it.
> >> > Anyone would have an idea why this is so?
> >> >
> >> > I am running 3.0.4 default rules, plus a few SARE ones
> >>
> >> Caveat again: I am not a real expert (yet):
> >>
> >> First, the mail is short so there is less for SpamAssassin
> >> to work with, Bayes for instance doesn't kick in for either
> >> of us; and you don't seem to be running many network tests
> >> if that is all you hit. My score is 29.2 but would only be
> >> 4.5 without the network tests.
> >>
> >> Now, I probably overkill the net tests (RBLs, Pyzor, DCC,
> >> Razor, and URIBLs). I will not block directly on any
> >> blacklist but I love using them as way to drive the score
> >> very high.
> >>
> >> (Currently I am very pleased with an email server where I
> >> am testing using blacklists to DRIVE greylisting tests in
> >> front of SpamAssassin -- even if the mail is passed on, the
> >> blacklist lookups will all be in the local DNS cache by
> >> the time SA runs so it doesn't cost much to do this. The
> >> greylisting doesn't show here, but I am planning to try
> >> using SpamAssassin to also drive the greylisting -- if
> >> spammers have to resend few will do so and it is a LOT
> >> safer than auto-deleting high score spam.
> >>
> >> X-Spam-Status: Yes, score=29.2 required=6.0 tests=BODY_ENHANCEMENT2,
> >>
> >> DIGEST_MULTIPLE,FB_HARD_ERECTION,HELO_DYNAMIC_IPADDR2,HM_URIBL_SC2_XS,
> >>
HM_URIBL_SC_DBL,HM_URIBL_SC_XS,HTML_30_40,HTML_MESSAGE,INFO_TLD,
> >> MIME_HTML_ONLY,PYZOR_CHECK,RAZOR2_CF_RANGE_51_100,
> >>
RAZOR2_CF_RANGE_E4_51_100,RAZOR2_CF_RANGE_E8_51_100,RAZOR2_CHECK,
> >> SARE_SUB_BREAKTHRU,URIBL_AB_SURBL,URIBL_BLACK,URIBL_BLOK_MPRHS,
> >> URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SBL,URIBL_SC2_SURBL,
> >> URIBL_SC_SURBL,URIBL_WS_SURBL,URIBL_XS_SURBL, DIGEST_MULTIPLE,
> >> HM_URIBL_SC_DBL, HM_URIBL_SC_XS
> >>
> >> -- last 2 rules are actually -3.5 & -2.5 = -6 ------
> >>
> >> Rules with HM_prefix are my own, the rest are all either stock
> >> or probably from SARE (I have about everything available from
> >> SARE including aggressive (Ham hitters) but NOT including those
> >> that "hit nothing but seem cool".) Scores are down below.
> >>
