Re: Train SA with e-mails 100% proven spams and next time it should be marked as spam

Tue, 13 Feb 2018 10:23:03 -0800 

On 02/13/2018 11:24 AM, Horváth Szabolcs wrote:

Hello,

David Jones [mailto:djo...@ena.com]  wrote:

There should be many more rule hits than just these 3.  It looks like
network tests aren't happening.
Can you post the original email to pastebin.com with minimal redacting
so the rest of us can run it through our SA to see how it scores to help
with suggestions?


Thanks for taking time to answer. Here it is: https://pastebin.com/5XZ5kbus
My SA instance would have blocked it but the 2 rules that did it won't apply to your mail flow based on language and non-US relays.
Properly training your Bayes and increasing the score for BAYES_80, BAYES_95, and BAYES_99 is the best bet on this one. It might take some local content rules but I can't read the subject or body. :) 


Content analysis details:   (10.2 points, 5.0 required)

 pts rule name              description
---- ---------------------- -------------------------------------------------- 
 5.2 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                            [score: 0.9926]
0.0 HTML_IMAGE_RATIO_08 BODY: HTML has a low ratio of text to image area 
 2.8 UNWANTED_LANGUAGE_BODY BODY: Message written in an undesired language
 0.0 HTML_MESSAGE           BODY: HTML included in message
2.2 ENA_RELAY_NOT_US Relayed from outside the US and not on whitelists 
 0.0 ENA_BAD_SPAM           Spam hitting really bad rules.
This brings up a good point that we need help with non-English masscheckers and SA rules.
The sending mail server 79.96.0.147 is not listed on any major RBLs and it has proper FCrDNS. I can't tell the envelope-from domain but it must not have an SPF record. Definitely no DMARC record for fiok.com.
The "IdeaSmtpServer" might be something to investigate it's relationship to spam to see if it's an indicator worthy of a local rule.
The domain in the Message-ID might be worth checking with other spam to see if that is a pattern worth a local rule.
If there are unique body phrases or misspellings, then that is definitely something to put into a local rule to add a point or two in the future. 


I suspect there needs to be some MTA tuning in front of SA along with
some SA tuning that is mentioned on this list every couple of months --
add extra RBLs, add KAM.cf, enable some SA plugins, etc.


Oops. I'm a new member on this list. Could you please tell us which 
customizations do you mean?
I already looked KAM.cf, doesn't really help in situation. We're using a lot of 
RBLs.




--
David Jones

Reply via email to