Hi, >>>> # 2013 cars local dealership >>>> http://pastebin.com/3bEMiV3B >>> >>> URI in that sample >>> >>> pohformed.com listed on black.uribl.com >>> pohformed.com listed on jp.surbl.org >>> pohformed.com listed on sc.surbl.org >>> pohformed.com listed on dbl.spamhaus.org >> >> I know I should have mentioned that. Yes, I'm using the above RBLs, >> and they're all correctly tagged here now. >> >> I was hoping for something more preemptive to trigger on these more >> generally because the IPs are only used for a short while, but long >> enough to get 25 spams in from the address. I was hoping to find >> commonalities between the messages that could be used to generate some >> other rules. >> > > Isn't this the function that Bayes is intended to serve, rather precisely?
For the most part, my FNs typically do hit bayes99. This example hit bayes80, although many times they do only hit bayes50, despite training them regularly. I really don't think there's a problem with my bayes database, due to the frequency with which I see bayes99 in my FNs. This is especially true for the yahoo compromised account single-link spam. The headers are always nearly identical and the body is either a single URL or a bunch of html junk with a link embedded in it. Of course after learning these messages, then running through SA again, they hit bayes99. The next one that comes in is apparently just different enough to not quite hit bayes99. I even periodically go through the quarantine, and train those which have only hit bayes50. John Hardin wrote: > As was suggested earlier: greylisting? I really don't think my users would tolerate the delay, so I've never implemented it. They would have vendors calling them on the phone complaining, not to mention users. From what I understand the delay can be multiple minutes, correct? I'd imagine there's support for whitelisting an IP after receiving multiple messages over some extended period? Is it something suitable for an environment with a few hundred thousand messages per day? Axb wrote: > pohformed.com's A record 66.197.138.39 listed on sbl.spamhaus.org Can this be implemented in v3.2 or as a postfix rhsbl? Isn't it already included in zen, which I'm already implementing at SMTP time? Thanks, Alex
