At 10:07 AM 10/20/2005, FH wrote:
> Really, you shouldn't be looking at the scores. You should be looking at
> what rules the messages are hitting. Only this can tell you the "why" of
> the matter. Everything else is just looking at the results.
>
Makes sense, I'll dig into that a little deeper to see if I can figure out
specifically what's triggering it. Assuming I do find something is it better
to try and modify the rule directly or to come up w/ some sort of "counter"
rule?
It depends on what you find.
Sometimes the hits will suggest your bayes training is way off, and you
might need some re-training if BAYES_99 keeps hitting a lot of nonspam mail.
Other times you'll notice your trusted_networks needs to be set manually
because dialup RBLs and rules are causing FPs due to SA guessing the dialup
ISP's mailserver is a part of your network. (see "TrustPath" in the wiki)
Still others you'll find a bonafide bug in a rule. Most commonly these
occur in the rules looking for forged mailclients. In those cases, hack the
score of the rule down with a score statement in your local.cf and check
bugzilla to see if it's been reported or fixed in a new release.
