On 02/01/12 06:03, Alex wrote:
Hi,
http://pastebin.com/raw.php?i=1Y5QCkfh
http://pastebin.com/raw.php?i=KdmZXM0d
give dkim invalid positive score if it was not pass on recieved ?
add sbcglobal.net to freemail_domains
add sanjit.in to local.cf url rule
Thanks for your help. I should have been more clear about what I've
already done to prevent these. I've already created some simple rules,
including a local URIBL, that blocks these once they have been
identified. They used to contain a unique pattern in the HTML
component of the email, but they're only including a text content type
now.
What I haven't been able to figure out is a more generalized pattern
from these, such as something in the header that is inconsistent with
non-spam or contains some type of invalid header data, such as the
mismatch between having originated at yahoo but being sent as
sbcglobal?
Shouldn't have bayes picked this up after learning a dozen or more of these?
IMHO, yes. Are you sure you are training bayes correctly. Are you using
the same user to train bayes as the user that is running SA? Work
through some of the advice already given regarding bayes.
From running your examples locally, I note:
sanjit.in is now listed in a couple URIBLs (URIBL_PH_SURBL &
URIBL_HOSTKARMA_BL) - don't know if it was listed at the time you
received them.
They hit some local meta rules I have combining FREEMAIL_FROM with
__HAS_ANY_URI, __MANY_RECIPS, and various missing/blank subject rules.
For me these are relatively good indicators of FREEMAIL spam.
Also, as I see very little legit mail from AOL I also nail from @aol.com
with 6 pts and then whitelist any legit senders with an AOL email
address. YMMV.
