Le 10/02/2011 10:09, Chip M. a écrit : > mouss wrote: >> with a stock config, and without Bayes, it now yields: > > Hmmm, interesting! > > Yes, all the "caught" spam here were due to RBL hits. > > Which begs the question, what SpamAssassin tests are hitting for > the misses vs the kills? > > Here's what hit (here), for the first 38 missed spams: > Test Count > FH_HELO_EQ_D_D_D_D 2 > FSL_HELO_DEVICE 1 > FSL_HELO_NON_FQDN_1 1 > HELO_DYNAMIC_HCC 2 > HELO_DYNAMIC_IPADDR2 1 > HELO_NO_DOMAIN 1 > RCVD_IN_BL_SPAMCOP_NET 13 > RCVD_IN_BRBL_LASTEXT 2 > RCVD_IN_PBL 2 * > RDNS_DYNAMIC 3 > RDNS_NONE 1 > > Here's what hit for the first 26 caught spams: > Test Count > AXB_HELO_HOME_UN 1 > DATE_IN_FUTURE_Q_PLUS 1 > FH_HELO_EQ_D_D_D_D 12 > FSL_HELO_DEVICE 1 > FSL_HELO_NON_FQDN_1 8 > HELO_DYNAMIC_DHCP 3 > HELO_DYNAMIC_IPADDR 9 > HELO_DYNAMIC_IPADDR2 5 > HELO_DYNAMIC_SPLIT_IP 1 > HELO_LH_HOME 1 > HELO_NO_DOMAIN 8 > RCVD_IN_BRBL_LASTEXT 22 > RCVD_IN_PBL 25 * > RCVD_IN_PSBL 1 > RCVD_IN_SORBS_DUL 3 > RCVD_IN_XBL 1 > RDNS_DYNAMIC 16 > RDNS_NONE 10 > > The contrast in PBL hits is interesting. > I wonder if RBLs list more aggressively if the IP is already on PBL? > Just a casual thought/question. :) > > >> here, it gets BAYES_99 as well. > > Is that based on feeding any of these to your Bayes? >
No. it's from feeding unrelated spam (didn't even notice the campaign!). that said, I have some accounts that are only used for specific purposes (for example, the account I'm using now is only used for mailing list mail. and since such mail is automatically moved to folders, what stays in "inbox" is mostly spam - except for users who reply offlist but ignore the reply-to header). > I just checked my latest samples, and they're still identical, > body-wise, so feeding should be extremely effective. > > I forgot to mention that these are hitting a few dictionary > accounts which only receive spam from our old nemesis, the clever > wavy-images/RTF/ZIP/etc guy. That's a major reason that I expect > these to morph, real soon. :\ > > In the past, that guy's campaigns have had a similarly low hit > rate on PBL. I've always wondered how he/they achieve that. "they" may check candidate IPs against PBL before sending spam. This is why I think "generic dns" rules are a good thing, because they cover a lot more than pbl. (unfortuantely, they also hit legit people who don't take the effort to get whitelisted...)
