Jo Rhett wrote:
> On Feb 7, 2007, at 8:31 PM, Matt Kettler wrote:
>> As for LW_STOCK_SPAM4, it's being triggered by the fact that the message
>> is base-64 encoded text AND has a Date: header that's missing a proper
>> timezone. Apparently a batch of stock spam went out at some point with
>> both of these abnormal features. I have to admit, it's a pretty rare
>> combination.
> ....
>> years now, and nearly every normal email system has caught up by now.
>
> I get it for all crackberry messages. Can the rule be modified to
> handle this?
In the standard config? No.. It's not a FP in the standard config, so
there's no reason to modify it.
That said, you could whip up a quick ruleset to compensate.
header __RCVD_CRACKBERRY X-Spam-Relays-Untrusted =~
/rdns=[^=]{1,50}\.blackberry.com/
meta CRACKBERRY_B64 (MIME_BASE64_TEXT && __RCVD_CRACKBERRY)
describe CRACKBERRY_B64 Base64 encoded text from Blackberry.
score CRACKBERRY_B64 -1.5
>
> (yes, I've already bugged them about this but until then...)
>
>> Of course, also consider that you are spam threshold is 4.0, instead of
>> 5. By doing so, you've asked SA to catch more spam at the expense of
>> having more false positives. This is one of them that would not have
>> been tagged at 5.0.
>
> Short answer is that between 4.0 and 5.0 is 120 messages per day. You
> do the math ;-)
119 spams: 1 nonspam, you do the math.
I'm not saying you shouldn't reduce your threshold. However, you should
expect there to be more FPs when doing so. It's a tradeoff, you have to
work both ends of the math.
And of course, this tradeoff between FPs and FNs is the whole reason why
the threshold is adjustable.
While we're at it, why is there so much spam at your network that's
under 5?
