I noticed that FROM_LOCAL_HEX scores more often on legit mail than on spam. Specifically it hits on Myspace invitations and some type of group mail from Gmail, which are both common. It also hits on a few verp sender addresses from random sites that appear to be legit, and verp may become common.
I don't have the messages, only syslog entries. Syslog shows the envelope sender, but apparently the header From is the same. Maybe someone else has sample messages for a proper report. Joseph Brennan Columbia University Information Technology Myspace---- 204.16.33.77 <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> xxxx would like to be added as one of your friends! Note: 204.16.33.77 is vmta14.myspace.com Note: Aggravated by also hitting BAD_ENC_HEADER (3.499). If I recall correctly, I sent them a report about that a long time ago. That was a genuine standards violation that they should fix. Gmail---- 209.85.198.210 <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> orkut - xxxx xxxx has written you a scrapbook entry Note: 209.85.198.210 is rv-out-0304.google.com Note: 'orkut' seems to be the name of a group or list. There are also messages with subject like 'orkut - Invitation to join from xxxx'. Note: Also hits FROM_STARTS_WITH_NUMS (2.302). The envelope sender starts with only one digit though-- is the header From different?
