mouss wrote:
>with a stock config, and without Bayes, it now yields:
Hmmm, interesting!
Yes, all the "caught" spam here were due to RBL hits.
Which begs the question, what SpamAssassin tests are hitting for
the misses vs the kills?
Here's what hit (here), for the first 38 missed spams:
Test Count
FH_HELO_EQ_D_D_D_D 2
FSL_HELO_DEVICE 1
FSL_HELO_NON_FQDN_1 1
HELO_DYNAMIC_HCC 2
HELO_DYNAMIC_IPADDR2 1
HELO_NO_DOMAIN 1
RCVD_IN_BL_SPAMCOP_NET 13
RCVD_IN_BRBL_LASTEXT 2
RCVD_IN_PBL 2 *
RDNS_DYNAMIC 3
RDNS_NONE 1
Here's what hit for the first 26 caught spams:
Test Count
AXB_HELO_HOME_UN 1
DATE_IN_FUTURE_Q_PLUS 1
FH_HELO_EQ_D_D_D_D 12
FSL_HELO_DEVICE 1
FSL_HELO_NON_FQDN_1 8
HELO_DYNAMIC_DHCP 3
HELO_DYNAMIC_IPADDR 9
HELO_DYNAMIC_IPADDR2 5
HELO_DYNAMIC_SPLIT_IP 1
HELO_LH_HOME 1
HELO_NO_DOMAIN 8
RCVD_IN_BRBL_LASTEXT 22
RCVD_IN_PBL 25 *
RCVD_IN_PSBL 1
RCVD_IN_SORBS_DUL 3
RCVD_IN_XBL 1
RDNS_DYNAMIC 16
RDNS_NONE 10
The contrast in PBL hits is interesting.
I wonder if RBLs list more aggressively if the IP is already on PBL?
Just a casual thought/question. :)
>here, it gets BAYES_99 as well.
Is that based on feeding any of these to your Bayes?
I just checked my latest samples, and they're still identical,
body-wise, so feeding should be extremely effective.
I forgot to mention that these are hitting a few dictionary
accounts which only receive spam from our old nemesis, the clever
wavy-images/RTF/ZIP/etc guy. That's a major reason that I expect
these to morph, real soon. :\
In the past, that guy's campaigns have had a similarly low hit
rate on PBL. I've always wondered how he/they achieve that.
- "Chip"
