Re: Score for certain spam
On 2021-08-17 18:03, David Bürgin wrote: In your experience, what is a good ‘certain spam’ threshold? By that I mean the score above which messages are virtually always spam, no false positives. basicly all above 5 is spam tagged with default spamassassin, it is so as long as spamassassin does only tags mails, eq spamassassin is not designed to ever reject any emails The default threshold for spam is 5.0, which works well for me. Only very rarely a ham message scores above that and lands in my Junk folder. Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject such messages at the SMTP layer, without having to worry about rejecting legitimate messages. in fuglu i use 15 as reject score, it can be done in spamas-milter aswell, but its not spamassassin fault, in many places of score in spamassassin its for negative spam -100, and for possitive spam +100, both can be changed scores on so it never reject fp spammers knows defaults scores so thay hope recipients never change it, spammers want whitelist_from * but in mta stage local recipients is not evelobe senders, so whitelist in spamassassin is still safe to use where its needed, but remember dont if not needed i begin to see to make rules scores safe it must not exists a single rule with score above 3, but there can be multiple rules to add more score, this is more safe to do then a single rule with 30+
Re: Score for certain spam
Alan writes: > I manage email for a couple of hundred domains, so a fair bit of stuff > that arrives to my inbox are spam complaints (they're supposed to open > tickets or use the support mailbox but... users). I flag anything over > 5.0 as spam, but it still comes to my inbox. Anything over 8.0 goes to > the bit bucket. Our support inbox deletes anything over 10.0. Stuff > that scores over 20 arrives on a regular basis but 10 seems to be a > decent threshold for "absolute crap". WHen you talk about 8/10 and bitbucket/delete, are you accepting this email at the MTA level and then sending it to /dev/null? If so, I wonder what your thoughts are on the wisdom of that vs rejecting at the MTA level? In my view MTA, rejection is much better because if there is a legit sender they get a 550 back, rather than silent discard. signature.asc Description: PGP signature
Re: Score for certain spam
I manage email for a couple of hundred domains, so a fair bit of stuff that arrives to my inbox are spam complaints (they're supposed to open tickets or use the support mailbox but... users). I flag anything over 5.0 as spam, but it still comes to my inbox. Anything over 8.0 goes to the bit bucket. Our support inbox deletes anything over 10.0. Stuff that scores over 20 arrives on a regular basis but 10 seems to be a decent threshold for "absolute crap". I should also mention that we refuse to send anything that scores over 5.0. This has proved useful both in limiting damage from unprotected contact forms and ... um ... "overzealous" customers. On 2021-08-17 12:03, David Bürgin wrote: In your experience, what is a good ‘certain spam’ threshold? By that I mean the score above which messages are virtually always spam, no false positives. The default threshold for spam is 5.0, which works well for me. Only very rarely a ham message scores above that and lands in my Junk folder. Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject such messages at the SMTP layer, without having to worry about rejecting legitimate messages. Thank you! -- For SpamAsassin Users List
Re: Score for certain spam
David Bürgin writes: [all the other replies sound 100% sensible to me] > In your experience, what is a good ‘certain spam’ threshold? By that I > mean the score above which messages are virtually always spam, no false > positives. There is no certainty; there is only probability. So you have to decide what risk you want to put up with, and that's in my experience a risk of accepted spam and a risk of rejected ham. > The default threshold for spam is 5.0, which works well for me. Only > very rarely a ham message scores above that and lands in my Junk folder. I have set up TXREP, and added known senders to a welcomelist, plus some private rules and score tweaks, SA base plus KAM. I find that ham over 5 is extremely rare. I am rejecting at the SMTP level at 8. I have so far not received a single complaint of legit mail being rejected. 8 is a bit more aggressive than I would recommend in general. Note that I take two unconventional views compared to standard SA doctrine: mail is personal-ham, list-ham, or spam. If a message from a mailinglist that is technically ham gets misfiled or even rejected, that's not a big deal. Mail that is personally to me (really, that I care about) that gets rejected is a big deal. I really don't want any spam in my INBOX, because it appears on my phone, and thus I sort mail into "ham", "maybe spam", "spam" and "definitely spam", basically sorting <1 point into inbox, 1-5 into spam.N folders, with 5+ into pam.5, combined with MTA-level rejection at 8. This means that every day several messages are sorted into spam.1 and spam.2 that are technically ham, and I just refile them when at a computer. The benefit to this is that only a handful of spam messages land in my inbox every week. I often add welcomelist or rule tweaks for list senders who score 1-5. Usually the messages are icky somehow, from an MTA on a BL, misformatted, etc. Almost always I wouldn't really care if I had missed them. Real people, real transactional notifications, I add exceptions for. This is higher effort, but it serves my dual purposes of not missing ham and protecting my phone INBOX from spam. But it also gives me insight into score distribution. 1-2 point ham is pretty normal, and arguably that folder is 75% ham. The 4-5 folder is about 98% spam. > Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject > such messages at the SMTP layer, without having to worry about rejecting > legitimate messages. My view is that very occasional rejecting of legit mail is much better than having it buried in a spam folder. I would be very surprised if rejecting >= 10 caused you real trouble. You just said that you almost never have ham get scored over 5. So 10 seems like a reasonable step. signature.asc Description: PGP signature
Re: Score for certain spam
On 17.08.21 18:03, David Bürgin wrote: In your experience, what is a good ‘certain spam’ threshold? By that I mean the score above which messages are virtually always spam, no false positives. The default threshold for spam is 5.0, which works well for me. Only very rarely a ham message scores above that and lands in my Junk folder. Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject such messages at the SMTP layer, without having to worry about rejecting legitimate messages. on my personal server I have pushed the score to 3.5 and reject anything over 9. Note that I intensively train spams and FPs. I maintain a few servers, default score is at 5 and reject over 8. one server without proper training, score is left at amavis default and reject on 10. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org)
Re: Score for certain spam
Hi David, If your default is in the 5 to 6 range for scoring, we have found that 11.0 has virtually no FPs and 15.0 has not had any FPs at our firm in years. Regards, KAM On 8/17/2021 12:03 PM, David Bürgin wrote: In your experience, what is a good ‘certain spam’ threshold? By that I mean the score above which messages are virtually always spam, no false positives. The default threshold for spam is 5.0, which works well for me. Only very rarely a ham message scores above that and lands in my Junk folder. Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject such messages at the SMTP layer, without having to worry about rejecting legitimate messages. Thank you! -- Kevin A. McGrail kmcgr...@apache.org Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: Score for certain spam
On Tue, 2021-08-17 at 18:03 +0200, David Bürgin wrote: > In your experience, what is a good ‘certain spam’ threshold? By that I > mean the score above which messages are virtually always spam, no > false positives. > I pushed it one notch, to 6.0, but: (a) I've accumulated a fair collection of private rules which are specific to my mail stream (b) I have a private mail archive, stored in a PostgreSQL database, and an SA plugin which whitelists any sender who is recorded in my archive as somebody that I've previously sent mail to. (c) Spam is quarantined as it arrives. Ham is delivered via Postfix + Dovecot and also queued for archiving (d) spam gets quarantined for 7 days before being discarded (e) An overnight cronjob loads ham thats queued for archiving into the mail archive. It also expires & deletes week-old quarentined spam, and I added a report to logwatch that lists new spam, so I know its arrived and can be retrieved from quarentine if I decide I should see it. I've listed these steps and associated conditions in case any are useful to you. This has all been up and running since 2007, so its tolerably well tested. Martin
Score for certain spam
In your experience, what is a good ‘certain spam’ threshold? By that I mean the score above which messages are virtually always spam, no false positives. The default threshold for spam is 5.0, which works well for me. Only very rarely a ham message scores above that and lands in my Junk folder. Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject such messages at the SMTP layer, without having to worry about rejecting legitimate messages. Thank you!
gbhackers.com: Hackers Using New Obfuscation Mechanisms to Evade Detection Of Phishing Campaign
Good day Guys Something I came across, and thought I would share / forward https://gbhackers.com/hackers-using-new-obfuscation-mechanisms-to-evade-detection-of-phishing-campaign/ Hope this helps. Regards Brent
