-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jim Maul wrote:
> Jim Maul wrote:
>> David Goldsmith wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Setup: SA 3.1.8, Pyzor, Razor, DCC, iXhash
>>> Botnet, FuzzyOCR 3.5.1, SARE rules, some misc rules
>>>
>>> This message got 0 points. Does it score over 5 for anyone?
>>>
>>> http://members.cox.net/dgoldsmi/spam/lowscore01.txt
>>>
>>
>> Content analysis details: (8.6 points, 5.0 required)
>>
>> pts rule name description
>> ---- ----------------------
>> --------------------------------------------------
>> 0.1 HTML_LINK_CLICK_HERE BODY: HTML link text says "click here"
>> 0.1 HTML_60_70 BODY: Message is 60% to 70% HTML
>> 0.1 HTML_MESSAGE BODY: HTML included in message
>> 0.9 RAZOR2_CF_RANGE_11_50 BODY: Razor2 gives confidence between 11
>> and 50
>> [cf: 33]
>> 5.4 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
>> [score: 0.9992]
>> 0.3 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
>> 1.6 LINK_TO_NO_SCHEME BODY: Contains link without http:// prefix
>> 0.1 CLICK_BELOW Asks you to click below
>>
>> Sure does.
>>
>> -Jim
>>
> BTW, i forgot to mention that im running SA 2.64, razor and a few sare
> rules only. Bayes was the kicker here. I <3 bayes ;)
>
> -Jim
Odd. If I rerun it again, I'm getting a hit from DCC now, but still not
seeing Razor hit or Bayes. I ran it through spamassassin -D rather than
spamc, and here are the applicable log entries:
[21191] dbg: razor2: part=0 engine=4 contested=0 confidence=33
[21191] dbg: razor2: part=0 engine=8 contested=0 confidence=0
[21191] dbg: razor2: part=0 engine=8 contested=1 confidence=0
[21191] dbg: razor2: results: spam? 0
[21191] dbg: razor2: results: engine 8, highest cf score: 0
[21191] dbg: razor2: results: engine 4, highest cf score: 33
[21191] dbg: dcc: dccifd is not available: no r/w dccifd socket found
[21191] dbg: util: executable for dccproc was found at
/usr/local/bin/dccproc
[21191] dbg: dcc: dccproc is available: /usr/local/bin/dccproc
[21191] dbg: info: entering helper-app run mode
[21191] dbg: dcc: opening pipe: /usr/local/bin/dccproc -H -x 0 -a
65.173.218.105 < /tmp/.spamassassin21191jK69ditmp
[21202] dbg: util: setuid: ruid=0 euid=0
[21191] dbg: dcc: got response: X-DCC-CTc-dcc2-Metrics:
iceman11.giac.net 1031; Body=many Fuz1=many Fuz2=many
[21191] dbg: info: leaving helper-app run mode
[21191] dbg: dcc: listed: BODY=999999/999999 FUZ1=999999/999999
FUZ2=999999/999999
[21191] dbg: rules: ran eval rule DCC_CHECK ======> got hit
[21191] dbg: bayes: tie-ing to DB file R/O
/home/spamass/.spamassassin/bayes_toks
[21191] dbg: bayes: tie-ing to DB file R/O
/home/spamass/.spamassassin/bayes_seen
[21191] dbg: bayes: found bayes db version 3
[21191] dbg: bayes: DB journal sync: last sync: 1172851977
[21191] dbg: bayes: corpus size: nspam = 42311, nham = 6189
[21191] dbg: bayes: score = 0.499999999933664
[21191] dbg: bayes: DB journal sync: last sync: 1172851977
[21191] dbg: bayes: untie-ing
[21191] dbg: bayes: untie-ing db_toks
[21191] dbg: bayes: untie-ing db_seen
X-Spam-DCC: CTc-dcc2: iceman11.giac.net 1031; Body=many Fuz1=many Fuz2=many
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on iceman11.giac.net
X-Spam-Level: *
X-Spam-Status: No, score=1.1 required=5.0 tests=AWL,BAYES_50,DCC_CHECK,
HTML_MESSAGE,MIME_HTML_ONLY autolearn=no version=3.1.8
X-Spam-Pyzor: Reported 1 times.
X-Spam-Report:
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
* [score: 0.5000]
* 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
* -1.1 AWL AWL: From: address is in the auto white-list
After running 'sa-learn --spam' on the message, the Bayes probability
ticked up a tad but nothing significant:
[21599] dbg: bayes: DB journal sync: last sync: 1172852471
[21599] dbg: bayes: corpus size: nspam = 42402, nham = 6207
[21599] dbg: bayes: score = 0.500000410035903
[21599] dbg: bayes: DB journal sync: last sync: 1172852471
Bayes seems to be working overall - right now, the most frequent BAYES
rules hitting on spam messages are:
TOP SPAM RULES FIRED
- ----------------------------------------------------------------------
RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM
- ----------------------------------------------------------------------
1 BAYES_99 11273 73.05 97.61 0.56
143 BAYES_50 124 10.91 1.07 39.95
and on ham messages:
TOP HAM RULES FIRED
- ----------------------------------------------------------------------
RANK RULE NAME COUNT %OFMAIL %OFSPAM %OFHAM
- ----------------------------------------------------------------------
2 BAYES_00 1977 12.80 0.02 50.54
4 BAYES_50 1563 10.91 1.07 39.95
17 BAYES_20 101 0.67 0.03 2.58
20 BAYES_40 90 0.58 0.00 2.30
32 BAYES_05 64 0.41 0.00 1.64
34 BAYES_60 61 0.69 0.39 1.56
49 BAYES_80 26 0.47 0.40 0.66
56 BAYES_99 22 73.05 97.61 0.56
83 SARE_BAYES_7x5 9 0.06 0.00 0.23
87 BAYES_95 8 0.41 0.48 0.20
so BAYES_99 is pretty accurate.
Dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3rc2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF6FBx417vU8/9QfkRAtabAKCPCHuLs3FvOBaxLMJbp3NOjmH+PQCguZRz
rHAuTua0CR/sJE8uWie5Vsg=
=oiFr
-----END PGP SIGNATURE-----
