On 23.04.08 09:27, Joseph Brennan wrote: > I noticed that FROM_LOCAL_HEX scores more often on legit mail than > on spam. Specifically it hits on Myspace invitations and some type > of group mail from Gmail, which are both common. It also hits on > a few verp sender addresses from random sites that appear to be > legit, and verp may become common. > > I don't have the messages, only syslog entries. Syslog shows the > envelope sender, but apparently the header From is the same. > Maybe someone else has sample messages for a proper report.
> Note: Also hits FROM_STARTS_WITH_NUMS (2.302). The envelope sender > starts with only one digit though-- is the header From different? we've had similar FPs when users sent mail from their mobile phoned via SMS/MMS - the From: address and local part were their phone numbers which made them hit. I was thinking if I have just to whitelist them, or better make an exception for those rules/sources (and how) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully.
