Re: Counting RAZOR2 hits
On 17.08.09 20:33, Matt Kettler wrote: You can also set your min_cf in your razor config files, which will affect when the RAZOR2_CHECK rule fires. This does work in SpamAssassin, as I have over-ridden the min_cf on my own system, and have done so for years. On Mon, 2009-08-17 at 09:52 +0200, Matus UHLAR wrote: There's no min_cf gor RAZOR and there's no public hitcount. RAZOR2 has internal trust system which counts reports and revokes from its users/reporters and uses those to decide if the message is listed or not. Karsten Bräckelmann wrote: There is -- the minimum confidence level is the second option for the check_razor2_range() eval rule. Aha I see. the number is the spam confidence in percents. There's no config option for SA, but there's config option for razor. setting min_cf affects RAZOR2_CHECK but it does not affect RAZOR2_CF_RANGE_51_100 RAZOR2_CF_RANGE_E4_51_100 nor RAZOR2_CF_RANGE_E8_51_100, and default scores for last two (1.5) are higher than for first two (0.5), to playing with min_cf changes only 0.5 points unless user changes his score... now I understand it a bit more :-) On 15.08.09 14:32, Matt Kettler wrote: That means it was found and was above your min_cf. i.e.: Razor believes it is spam. to be a bit more precise: It means that razor is at least ${min_cf}% sure it is spam. the min_cf default value is configured by razor servers... note that it is not the hit count... The private part of Razor's trust system has to do with how much impact your reports have on the cf values everyone else gets when they query razor. However, you're free to tweak razor to be more or less aggressive. The razor system also advertizes a suggested cf value, which they call ac (average confidence?) and you can define min_cf to either be your own absolute value (ie: 10), or relative to the advertized one (ie: ac+10, or ac-5). Razor's cf's go from -100 to +100. I think it's from 0 to 100 :-) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. To Boot or not to Boot, that's the question. [WD1270 Caviar]
Re: Counting RAZOR2 hits
MySQL Student wrote: I thought grep -c RAZOR2_CHECK through my mail logs would give me a good approximation of the number of times RAZOR2 was consulted, but that doesn't seem to be the case. There are some mails that don't have it listed in the tests= section. I've also tried the razor-* commands, and they don't appear to be able to help here either. What am I missing? Does RAZOR2_CHECK mean that it was found in the RAZOR2 db, or that it merely consulted the db? On 15.08.09 14:32, Matt Kettler wrote: That means it was found and was above your min_cf. i.e.: Razor believes it is spam. There's no min_cf gor RAZOR and there's no public hitcount. RAZOR2 has internal trust system which counts reports and revokes from its users/reporters and uses those to decide if the message is listed or not. This ain't easy to decide, see http://www.evanmiller.org/how-not-to-sort-by-average-rating.html (currently down, I hope not for long) and unless we'd provide similar counting system (which should be imho used for PYZOR currently only counting reports and not whitelists) it would be very bad to only count hits. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you.
Re: Counting RAZOR2 hits
On Mon, 2009-08-17 at 09:52 +0200, Matus UHLAR wrote: On 15.08.09 14:32, Matt Kettler wrote: That means it was found and was above your min_cf. i.e.: Razor believes it is spam. There's no min_cf gor RAZOR and there's no public hitcount. RAZOR2 has internal trust system which counts reports and revokes from its users/reporters and uses those to decide if the message is listed or not. There is -- the minimum confidence level is the second option for the check_razor2_range() eval rule. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Counting RAZOR2 hits
Karsten Bräckelmann wrote: On Mon, 2009-08-17 at 09:52 +0200, Matus UHLAR wrote: On 15.08.09 14:32, Matt Kettler wrote: That means it was found and was above your min_cf. i.e.: Razor believes it is spam. There's no min_cf gor RAZOR and there's no public hitcount. RAZOR2 has internal trust system which counts reports and revokes from its users/reporters and uses those to decide if the message is listed or not. There is -- the minimum confidence level is the second option for the check_razor2_range() eval rule. You can also set your min_cf in your razor config files, which will affect when the RAZOR2_CHECK rule fires. This does work in SpamAssassin, as I have over-ridden the min_cf on my own system, and have done so for years. The private part of Razor's trust system has to do with how much impact your reports have on the cf values everyone else gets when they query razor. However, you're free to tweak razor to be more or less aggressive. The razor system also advertizes a suggested cf value, which they call ac (average confidence?) and you can define min_cf to either be your own absolute value (ie: 10), or relative to the advertized one (ie: ac+10, or ac-5). Razor's cf's go from -100 to +100. see man razor-agent.conf for further details on how to configure razor, if you're so inclide.
Re: Counting RAZOR2 hits
Hi, You can also set your min_cf in your razor config files, which will affect when the RAZOR2_CHECK rule fires. This does work in SpamAssassin, as I have over-ridden the min_cf on my own system, and have done so for years. Thanks to everyone for their great ideas thus far. I'm looking forward to working through it to learn more. I'm seeing a lot of FNs that include various RAZOR rules, but still don't have enough points to be tipped. Are there meta rules that people have created and can share that might help? How about combining it with BOTNET? The ones that have BAYES_99 and most of the SURBLS and RAZOR* are all properly tagged already, but many only have BAYES_50. Some have only RAZOR2_CHECK and contain an inline image. X-Spam-Status: No, hits=4.1 tagged_above=-300.0 required=5.0 use_bayes=1 tests=BAYES_50, HTML_MESSAGE, RAZOR2_CF_RANGE_51_100, RAZOR2_CF_RANGE_E8_51_100, RAZOR2_CHECK, RDNS_NONE, RELAYCOUNTRY_US, SPF_HELO_PASS, SPF_PASS score RAZOR2_CHECK 0 0.9 0 0.9 score RAZOR2_CF_RANGE_51_100 0 0.8 0 0.8 score RAZOR2_CF_RANGE_E4_51_100 0 1.8 0 1.8 score RAZOR2_CF_RANGE_E8_51_100 0 1.5 0 1.5 I see now that RAZOR2_RANGE_E8 should also be at least 1.8, which I've now changed. Does everyone do their own mass-checks these days? How do you go about analyzing the FNs to figure out why they aren't caught and adjust the scores? Of course they need to be looked at individually for additional patterns, but how are the scores best personalized of the rules that are triggered? Thanks, Alex
Counting RAZOR2 hits
Hi, I thought grep -c RAZOR2_CHECK through my mail logs would give me a good approximation of the number of times RAZOR2 was consulted, but that doesn't seem to be the case. There are some mails that don't have it listed in the tests= section. I've also tried the razor-* commands, and they don't appear to be able to help here either. What am I missing? Does RAZOR2_CHECK mean that it was found in the RAZOR2 db, or that it merely consulted the db? Thanks, Alex
Re: Counting RAZOR2 hits
MySQL Student wrote: Hi, I thought grep -c RAZOR2_CHECK through my mail logs would give me a good approximation of the number of times RAZOR2 was consulted, but that doesn't seem to be the case. There are some mails that don't have it listed in the tests= section. I've also tried the razor-* commands, and they don't appear to be able to help here either. What am I missing? Does RAZOR2_CHECK mean that it was found in the RAZOR2 db, or that it merely consulted the db? That means it was found and was above your min_cf. i.e.: Razor believes it is spam.