Karsten Bräckelmann <[EMAIL PROTECTED]> writes: > On Fri, 2008-05-30 at 16:21 -0400, Greg Troxel wrote: >> I have recently understood AWL better, and am wondering if there should >> be some minimum number of entries before AWL is applied. I often get >> spam that doesn't score that high due to being a fresh relay. If I >> rescore it with '|spamassassin -t' after a few days, often it's on >> blacklists and scores a lot higher, but is pulled down by AWL. > > What do you gain by re-scoring?
Nothing useful. I noticed this after getting spam that had a URI that wasn't on URIBL, reporting it and finding that it was added, and then going to check if the rules then picked it up. So I am really wondering about the scenario of get spam that scores moderately, say 2 [time passes, spam's sender or URI get on blocklists] get same spam from same sender/net that scores 8 (same rules, plus SPAMCOM_BL, URIBL) but it gets moved down to 5 based on the previous message I think I have seen this, but I'm not 100% sure - this was the motivation for wanting to see more data on the AWL report line. > While the subject (and the name, Auto White List) might be confusing, > the main purpose AFAIK actually is to *white* list good senders, that > occasionally happen to send a spammy looking message. After all, most > senders are forged, and an "auto black list" effect is rather unlikely. > Even more so, since AWL takes the senders source net into account. > (Didn't grep through my corpus though, going from memory. ;) Sure, I see the point, but it gives credit to a very-spammy message for a previous semi-spammy message too, and that is in general reasonable. >> So, I wonder if a rule that said 'AWL is only applied if there are >=5 >> scores in the average' would avoid giving credit for spam that arrived >> when it wasn't classified as high as it should be now. > > Again, I don't see why you would re-score messages days later. I didn't mean to rescore. I find that a lot of spam is repeated, and even has the same from address and ip. I am trying to avoid for the next instance giving credit for a previous non-spammy message when the previous message was just as spammy, just not noticed as such because it wasn't in blocklists yet. > However, some mechanism to clean out single message senders, has been > mentioned before, and IIRC should be a known feature request. A (low) > threshold before AWL kicks in, possibly combined with a timeout for > pruning single message senders would be rather related. Thanks for the comments. I've put this on my todo list (which doesn't mean it will happen anytime soon :-).
