On 2013/01/14 12:59, Ben Johnson wrote:
On 1/14/2013 2:49 PM, RW wrote:
On Mon, 14 Jan 2013 13:24:55 -0500
Ben Johnson wrote:
A clear pattern has emerged: the X-Spam-Status headers for very
obviously spammy messages never contain evidence that network tests
contributed to their SA scores.
Ultimately, I need to know whether:
a.) Network tests are not being run at all for these messages
b.) Network tests are being run, but are failing in some way
c.) Network tests are being run, and are succeeding, but return
responses that do not contribute to the messages' scores
I've had a look at the log entries to which I link in my previous
message and I just need a little help interpreting the "dns" and
"async" messages.
As I said before, it's not unusual for snowshoe spam to hit no net
tests at all. Also obvious spam isn't any more likely to be in a
blocklist than less obvious spam.
However, try adding this to your SpamAssassin configuration, and
restart the appropriate daemon:
header RCVD_IN_HITALL eval:check_rbl('hitall-lastexternal',
'ipv4.fahq2.com.')
tflags RCVD_IN_HITALL net
score RCVD_IN_HITALL 0.001
It should add a dns test that is hit for all mail delivered from an
IPv4 address.
Thanks, RW.
I understand that snowshoe spam may not hit any net tests. I guess my
confusion is around what, exactly, classifies spam as "snowshoe".
Are most/all of the BL services hash-based? In other words, if a known
spam message was added yesterday, will it be considered "snowshoe" spam
if the spammer sends the same message today and changes only one
character within the body?
If so, then I guess the only remedy here is to focus on why Bayes seems
to perform so miserably. It must be a configuration issue, because I've
sa-learn-ed messages that are incredibly similar for two days now and
not only do their Bayes scores not change significantly, but sometimes
they decrease. And I have a hard time believing that one of my users is
sa-train-ing these messages as ham and negating my efforts.
I have ensured that the spam token count increases when I train these
messages. That said, I do notice that the token count does not *always*
change; sometimes, sa-learn reports "Learned tokens from 0 message(s) (1
message(s) examined)". Does this mean that all tokens from these
messages have already been learned, thereby making it pointless to
continue feeding them to sa-learn?
If I receive one more uncaught message about how some mom is angering
doctors by doing something crazy to her face, I'm going to hunt-down the
****er and rip her face OFF.
Finally, I added the test you supplied to my SA configuration, restarted
Amavis, and all messages appear to be tagged with RCVD_IN_HITALL=0.001.
As much as I might applaud that sentiment I'd like to note two things.
First, it might involve just a whole lot of nasty paperwork and unpleasant
contact with authorities. Second the energy wasted doing that might have
been better spent had you learned how to create rules and recognize the
elements of a spam that are likely to be relatively unique so you can
create rules for it.
After awhile creating rules to knock down such "stuff" can become fun.
(Then after a longer while it gets "old", sigh.)
Another thing to learn in the process is that what you consider to be
spam is another person's (jerk's?) ham. So crafting rules needs to be
done with care if you're filtering for more than one person. Erm, of
course this is what allowing per user rules is good for.
{^_^}
