Hi,
I'm curious about the SHORT_WORD_LINES, KAM_LINEPADDING and HK_RANDOM
rules. I received a legitimate email from a gmail sender that was pushed
beyond 5.0 because of these rules. It hit both SCC_5_SHORT_WORD_LINES and
SCC_10_SHORT_WORD_LINES, and because a score isn't explicitly set, the two
rules added 2.0 points to the score.
describe SCC_5_SHORT_WORD_LINES 5 lines with many short words
meta SCC_5_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 5
describe SCC_10_SHORT_WORD_LINES 10 lines with many short words
meta SCC_10_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 10
describe SCC_20_SHORT_WORD_LINES 20 lines with many short words
meta SCC_20_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 20
describe SCC_35_SHORT_WORD_LINES 35 lines with many short words
meta SCC_35_SHORT_WORD_LINES __SCC_SHORT_WORDS >= 35
KAM_LINEPADDING was hit because it was a longer email chain that involved
many ">" line characters.
rawbody __KAM_LINEPADDING /(\n[^\n]){8}/
meta KAM_LINEPADDING (__KAM_LINEPADDING >= 1)
score KAM_LINEPADDING 1.2
describe KAM_LINEPADDING Spam that tries to get past blank line filters
1.0 HK_RANDOM_FROM From username looks random
1.0 HK_RANDOM_ENVFROM Envelope sender username looks random
The envelope-from and From address were both the same (
killercopywriting...@gmail.com), so because they "look random" another 2.0
points were added.
Add to that the IP Gmail used to send it had a relatively poor sender score:
0.7 RCVD_IN_SENDERSCORE_70_79 RBL: Senderscore.org score of 70 to 79
[209.85.208.54 listed in score.senderscore.com]
It also hit BAYES_50, which pushed it beyond 5.0.
Of course I could welcomelist the sender, train bayes or manually reduce
the scores of these rules, but they stood out to me as something that's
worth consideration. Should they be reevaluated?
