Re: Mismarked Ham

Wed, 14 Oct 2009 20:21:51 -0700 

Hi,

>> I'm not sure which of those scored what. [...]
>
> Seconded. I do see quite a few custom rules. How much did they score?

My apologies; I hadn't realized so much of it was non-standard. It's
otherwise obviously not very possible to help without knowing what the
rules are for if you haven't seen them. I've re-run the spam through
SA. It looks like the bayes score has now changed, now making the
score 8.2. I've also reduced the L_UNVERIFIED_GMAIL down to 0.5 from
2.5.

X-Spam-Report:
        *  2.0 RELAYCOUNTRY_HIGH Relayed by a country thats a bad spam source
        *  0.0 RELAYCOUNTRY_US Relayed through United States
        *  1.0 EXTRA_MPART_TYPE Header has extraneous
Content-type:...type= entry
        *  0.5 FREEMAIL_FROM Sender email is freemail
(learnlivelove[at]gmail.com)
        * -0.0 SPF_PASS SPF: sender matches SPF record
        * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
        *  0.0 DKIM_SIGNED Domain Keys Identified Mail: message has a signature
        *  0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60%
        *      [score: 0.5000]
        *  1.1 TVD_FW_GRAPHIC_NAME_LONG BODY: TVD_FW_GRAPHIC_NAME_LONG
        *  0.0 HTML_MESSAGE BODY: HTML included in message
        *  0.0 T_TVD_FW_GRAPHIC_ID1 BODY: T_TVD_FW_GRAPHIC_ID1
        *  1.4 SARE_GIF_ATTACH FULL: Email has a inline gif
        *  1.6 PART_CID_STOCK Has a spammy image attachment (by Content-ID)
        *  0.5 L_UNVERIFIED_GMAIL L_UNVERIFIED_GMAIL

Should SARE_GIF_ATTACH be such a high value by default?

full     SARE_GIF_ATTACH   /name=\"?[0-9a-z._\-]{3,18}\.gif\"?/i
describe SARE_GIF_ATTACH   Email has a inline gif
score    SARE_GIF_ATTACH   1.42

I think this one might also be too aggressive by default?

meta PART_CID_STOCK
(__ANY_IMAGE_ATTACH&&__PART_STOCK_CID&&!__PART_STOCK_CL&&!__PART_STOCK_CD_F)
describe PART_CID_STOCK  Has a spammy image attachment (by Content-ID)

> Even more strange, there is a T_ prefixed rule, which of course is not
> stock. And generally used for NON-published rules still in evaluation.
> How did that one end up in there? What does it score?

That originated in updates_spamassassin_org/72_active.cf, so it's part
of the channel updates:

mimeheader T_TVD_FW_GRAPHIC_ID1 Content-Id =~
/<[0-9a-f]{12}(?:\$[0-9a-f]{8}){2}\@/

Thanks,
Alex

Reply via email to