On Sat, 05 Mar 2016 04:09:55 -0000, David B Funk
<dbf...@engineering.uiowa.edu> wrote:
On Fri, 4 Mar 2016, Alex wrote:
I have a legitimate mail that received 2.8 points, making it spam, as
a result of what appears to be a false positive with DOS_OUTLOOK_TO_MX
http://pastebin.com/dbm2Q4k6
There doesn't seem to be any desktop system involved, just direct
communication with the sender's service provider. Is this the cause?
Is it possible this rule has a problem, or perhaps just the score is
too high?
I'm not trying to defend the score value, just saying that the rule
firing seems reasonable (IE doesn't look like a FP).
I will defend the (default) score since the sample in pastebin scored
6.156.
It also hit 3 non-standard rules:
KAM_LAZY_DOMAIN_SECURITY=1
RELAYCOUNTRY_MED=0.5
SAGREY=0.01
That's 1.6 points which means with the default ruleset this mail would've
only scored 4.556 and not been classified as spam (both by default on on
that system).
It's oft repeated that the scoring algorithm is designed to optimise at
5.0, the masschecks are done using only default rules for example, and the
goal is to use 5.0 as the dividing line. Since this false positive isn't
actually a false positive under default ruleset then the default score has
done exactly the job it should do. I'd suggest on that logic the three
additional rules are the ones that made the message spam.
If you add rules to your system sometimes you'll need to adjust the scores
of default rules and/or you'll need to change the threshold at which mails
become marked as spam. Local adjustments lead to more local adjustments.
Although not specifically what we're talking about in this case, and also
a few years old now, http://taint.org/2008/02/29/155648a.html does talk
about why local modifications don't always have the expected result.
Note: I'm not saying don't make local adjustments, I know I have many,
more that it's important to understand that adding plus or minus scores to
a balanced system can lead to an imbalance and you may need to make
changes to compensate for your decisions.
I also note this sample got 0.8 points from hitting BAYES_50 which is
another 0.8 points, not a problem in a default scoring system since it
still doesn't go above 5.0). However BAYES_20 would've scored -0.01
instead, knocking a further 0.81 from the final score. BAYES_00 scores
-1.9 which would've shaved 2.7 points off of the sample given. If these
messages are common enough to investigate these scores then in theory they
should be common enough to train into bayes, therefore with additional
training of ham bayes would stop this becoming a false positive even with
the additional rules.
