Hi, I'm curious about the SHORT_WORD_LINES, KAM_LINEPADDING and HK_RANDOM rules. I received a legitimate email from a gmail sender that was pushed beyond 5.0 because of these rules. It hit both SCC_5_SHORT_WORD_LINES and SCC_10_SHORT_WORD_LINES, and because a score isn't explicitly set, the two rules added 2.0 points to the score.
describe SCC_5_SHORT_WORD_LINES 5 lines with many short words meta SCC_5_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 5 describe SCC_10_SHORT_WORD_LINES 10 lines with many short words meta SCC_10_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 10 describe SCC_20_SHORT_WORD_LINES 20 lines with many short words meta SCC_20_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 20 describe SCC_35_SHORT_WORD_LINES 35 lines with many short words meta SCC_35_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 35 KAM_LINEPADDING was hit because it was a longer email chain that involved many ">" line characters. rawbody __KAM_LINEPADDING /(\n[^\n]){8}/ meta KAM_LINEPADDING (__KAM_LINEPADDING >= 1) score KAM_LINEPADDING 1.2 describe KAM_LINEPADDING Spam that tries to get past blank line filters 1.0 HK_RANDOM_FROM From username looks random 1.0 HK_RANDOM_ENVFROM Envelope sender username looks random The envelope-from and From address were both the same ( killercopywriting...@gmail.com), so because they "look random" another 2.0 points were added. Add to that the IP Gmail used to send it had a relatively poor sender score: 0.7 RCVD_IN_SENDERSCORE_70_79 RBL: Senderscore.org score of 70 to 79 [209.85.208.54 listed in score.senderscore.com] It also hit BAYES_50, which pushed it beyond 5.0. Of course I could welcomelist the sender, train bayes or manually reduce the scores of these rules, but they stood out to me as something that's worth consideration. Should they be reevaluated?