Re: RCVD_IN_MANY & DCC_CHECK

25 Mar 2004 14:21:49 -0000 

John Ruttenberg wrote:

I thought I'd add DCC_CHECK to the RCVD_IN_MANY rule that's been posted
recently.  I made it:

meta L_RCVD_IN_MANY ( RCVD_IN_BL_SPAMCOP_NET + RCVD_IN_SBL +
RCVD_IN_SORBS + RCVD_IN_NJABL + RCVD_IN_DYNABLOCK + RCVD_IN_DSBL +
RCVD_IN_NJABL_SPAM + RCVD_IN_NJABL_PROXY + RCVD_IN_RFCI + RCVD_IN_OPM +
RCVD_IN_SORBS_HTTP + RAZOR2_CHECK + DCC_CHECK ) > 2

But even with this rule, I still get:

 0.2 NO_REAL_NAME           From: does not include a real name
 0.1 HTML_MESSAGE           BODY: HTML included in message
 0.0 HTML_IMAGE_ONLY_10     BODY: HTML: images with 800-1000 bytes of words
 5.4 BAYES_99               BODY: Bayesian spam probability is 99 to 100%
                            [score: 1.0000]
 0.1 BIZ_TLD                URI: Contains a URL in the BIZ top-level domain
 2.9 DCC_CHECK              Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
 0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
                            [69.160.229.145 listed in dnsbl.sorbs.net]
                            [216.200.145.37 listed in dnsbl.sorbs.net]

Why hasn't my rule kicked in?

The rule will only trip on MORE than 2 matches, and it looks like you hit EXACTLY two: DCC_CHECK and RCVD_IN_SORBS in this example. You could change it to > 1 to test.

> It does work for the other RCVD_ terms: 

 0.1 RCVD_IN_SORBS          RBL: SORBS: sender is listed in SORBS
                            [68.84.161.191 listed in dnsbl.sorbs.net]
                            [216.200.145.38 listed in dnsbl.sorbs.net]
 0.0 LOCAL_DRUGS_ANXIETY    LOCAL_DRUGS_ANXIETY
 3.0 L_RCVD_IN_MANY         Message received in more than 2 RBLs

Presumably there were more tests? Otherwise, I don't know WHY it tripped there!

I suppose there is also the question whether it is/isn't a good idea to add
DCC_CHECK to this.  It does seem to be a pretty good indicator.

I use some other metas using pyzor and razor with bayes since those all look at content. Since I do have some folks that want to be on lists that are spammy and often in RBLs and/or pyzor/razor, I cross-check with bayes trained for my specific needs. This combination works very well.

The only think I'm trying to avoid is overkill. I'm happy if tricky spam gets scored 12.0 (with my default threshold of 5.0). Zapping it up to 60-70 doesn't gain me much.

- Bob

Reply via email to