Chip M. wrote: > > Owen, particularly with 419/scam spams, it's VERY helpful if you > tell us more about your ham ecology. > > It would also be helpful if you told us about your FP pipeline. > For example: Do you have a corpus? Can you easily analyze > individual SA hits on ham, over an extended period? > > The better your pipeline, the more aggressive you can be. > If you have a deep understanding of your own ham ecology > (based on analyzing data over multiple years), you can make > informed decisions as to how to slant your tests. > > > From your use of Nabble, I infer you are a small domain, with > mostly/completely non-arms-length users. From your domain name, > I infer your userbase consists partly (perhaps completely) of > Nerds. :) > > If those inferences are correct, here's some things that should > help: > 1. raise the score for "SUBJ_ALL_CAPS" and some scammy tests > 2. use a "FreeMail" plugin > 3. use a country of origin/route plugin > > > #1 is low-risk in a "pure Nerd" ham environment. In Nerd/Geek ham, > it hits most often on forwarded chain letters, and other crud, so > even if it FPs, it's minimal "harm". > > You might also want to tweak all the AdvanceFee/scam SA tests, > including "ADVANCE_FEE_[n]", "DEAR_FRIEND", "MILLION_USD", > "US_DOLLARS_[n]". Of those, the first two occur occasionally in > ham, but usually it's of low loss/FP value. > > > #2 should hit on about half of your samples (I'm using a different > implementation, so can't verify the exact performance - perhaps > someone with the SA plugin can run your samples and report?). > > Note that your middle scoring samples ALL should hit the FreeMail > plugin. > > > #3 is somewhat controversial, and if implemented must be done > VERY carefully. > > I hope we can all agree that scoring West Africa, particularly in > combination with scam oriented metas, has an excellent risk-reward > ratio. So far this year, over half of all my AdvanceFee-ish spams > have been sent via West Africa (typically originating there, and > sent via a compromised USA/WEurope IP). > > Here's a dump of the complete Countries routes of your samples > (frequency first, then square brackets around the IP immediately > outside your own network): > 2 [France], Nigeria > 1 [India], Japan > 3 [Netherlands], Mexico > 1 [Taiwan] > 1 [United States], United States, Great Britain > > In your samples, the lowest scoring three just happened to have the > most unlikely nations (Nigeria, India+Japan) in their routes. > That won't always be so. > > I would NEVER block the Netherlands (it _IS_ one of the Geekiest > nations on the planet!), however it does have many freemailers who > are often compromised, so when it occurs in COMBINATION with an > "unlikely" nation like Mexico, it's worth considering a CAUTIOUS > score. > >
OK, in terms of my domain, it's a collection of, yes, nerdy users : ) It's mostly friends, plus one guy who has a fleet of users of his own that I maintain but don't know. However, in terms of my complaints about spam, they relate only to my own mail. My other users don't complain to me about spam, and I don't take it upon myself to monitor their spam folders for false positives. That said, for my own case, I hardly get any. Maybe 1-2 a month, and those are always because of over-scoring on FREEMAIL_FROM. So, I will bump the scores of some of the tests you mentioned. I was hoping for a less fiddly solution, like "install this plugin/rule set," but that's OK. Can you recommend a country of origin/route plugin for me to look at? I'm not sure how I would search for one. -- View this message in context: http://www.nabble.com/Lots-of-419-scam-and-investment-spams-getting-through-suddenly-tp24079208p24118767.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
