On Sat, 2008-01-26 at 20:37 -0500, Daryl C. W. O'Shea wrote:
> Jason Haar wrote:
> > I just got a spam msg with a score of 4/5 and for the first time noticed
> > the DOS_OUTLOOK_TO_MX rule.
> >
> > For those that don't know it means "Delivered direct to MX with Outlook
> > headers". Sounds like a good rule: Outlook isn't a MTA so shouldn't be
> > able to connect directly to MX records - except for it's configured SMTP
> > server.
>
> The rule does work good... 50% of its spam hits are on mail scored 5 or
> less.
Indeed, this rule seems to hit mostly on "low scoring" mail. Granted, I
checked against 2 weeks worth of spam only -- however, the hits in 15+
scoring spam are almost negligible. But it does hit a few percent in my
10-15 range. (Note: These results include some special, custom crafted
rules which apply to my env only.)
This does have some potential, to push a few more spams above the edge
of 15 points. No hits in my 0.08% of FNs, though.
Thanks, Daryl, for the rule and the reassuring explanation! And thanks
Jason for bringing it up in the first place. If you'd excuse me now,
I'll go raise that score. :)
> > But it only has a score of 1.0. I just looked through a weeks worth of
> > SA logs and all the emails we received that triggered DOS_OUTLOOK_TO_MX
> > - but didn't get tagged as spam - were spam. So it seems to me that rule
> > is a better indicator than it's given credit for?
>
> When I wrote the rule and added it to the updates, in September, it was
> scoring poorly due to what I believe was probably dirty corpora. I
> didn't have the tuits at the time to investigate it. Current mass-check
> results show that it hit on 12 of 164,411 ham messages (all from zmi's
> corpus of 6175 ham messages), so not too bad.
Hmm, given these rare hits are isolated in a *single* corpus (0.2%, in
contrast of a whopping 0.0073% total) it would be really interesting to
investigate the reason for these hits.
Hey, it's checking 12 messages only! I'd even volunteer doing this. ;)
> > In fact, shouldn't that rule be generalized to DOS_MUA_TO_MX? I mean the
> > same rule applies for Thunderbird, mutt, etc...? If there's a X-Mailer:
> > header, then there should be an intermediary MTA before it hits yours?
I'm not sure about that generalization. What about web-site feedback
form mailers -- which "your" users might use? I've seen them add these
headers, too. Point is, they are no MUAs.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
