On 01/15/2011 01:36 AM, Ned Slider wrote:
In a year of running them locally I've never seen them hit on a ham
message. They appear to hit quite well for me because I pre-filter 95%+
of my spam at the smtp level (greylisting, HELO checks, spamhaus etc) so
SA only gets to see the difficult to catch stuff which might inflate the
percentage hits. As I said, they typically hit against bank phish sent
from compromised accounts on legit servers hence why they make it
through greylisting and many DNSBLs.
In my corpus of 3402 spam I see NSL_RCVD_FROM_USER hit 604 (17.8%) and
NSL_RCVD_HELO_USER hit 181 (5.3%). As there is (virtually?) no overlap,
that's a combined hit rate of ~23%, the vast majority of which I would
bet is bank phish. That is why I say these rules perform well for me -
once you take out the spam that's trivial to filter (spambot spam), the
hit rate against the remaining spam goes up.
It seems that NSL_RCVD_FROM_USER is indeed safe (no FP's except for
trec_enron), but the spam hit rate may vary wildly on different targets.
My servers without any pre-spamassassin filters are seeing ~0.5-1.5%
hit rates.
72_scores.cf
score NSL_RCVD_FROM_USER 1.180 1.226 1.180 1.226
spamassassin-3.3.x already has NSL_RCVD_FROM_USER with a production
score. I am confused as to how NSL_RCVD_FROM_USER got this score,
because AFAICT NSL_RCVD_FROM_USER was not in the 3.3 masscheck.
In any case, OR with NSL_RCVD_FROM_HELO isn't going to be helpful as
you're only piling up more score. Assigning a score to the HELO rule
might be a good idea if we are certain it is safe. OTOH, the masschecks
indicate very little hits at all on that rule.
Warren
