On Feb 23, 2018, at 11:47 PM, David B Funk <dbf...@engineering.uiowa.edu> wrote:
> It could have 20 points from a whole bunch of body rules but if it only hit 2
> points via header rules it still will not auto-learn.
Gotcha. The spam in question that triggered this hit a lot of rules, but hard
for me to tell on cursory inspection whether it satisfies sufficient header and
body points. But it LOOKS like there should be at least 3 points from header
(MISSING_HEADERS, FREEMAIL_FORGED_REPLYTO, among others) and certainly 3 body
(MONEY_FRAUD_3 at the very least). The actual spam report is this:
* 0.0 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam
* 0.0 NSL_RCVD_FROM_USER Received from User
* 1.0 MISSING_HEADERS Missing To: header
* 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
* [score: 0.5004]
* 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net)
* 0.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool
* 0.0 FSL_NEW_HELO_USER Spam's using Helo and User
* 2.6 MSOE_MID_WRONG_CASE No description available.
* 0.0 FROM_MISSP_USER From misspaced, from "User"
* 1.0 RDNS_DYNAMIC Delivered to internal network by host with
* dynamic-looking rDNS
* 0.0 LOTS_OF_MONEY Huge... sums of money
* 0.0 FROM_MISSP_XPRIO Misspaced FROM + X-Priority
* 1.6 REPLYTO_WITHOUT_TO_CC No description available.
* 0.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait
* 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay
* 0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe
* 2.1 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From
* 1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different
* freemails
* 0.0 TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems
* 1.9 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook
* 1.6 TO_NO_BRKTS_DYNIP To: lacks brackets and dynamic rDNS
* 0.0 FILL_THIS_FORM Fill in a form with personal information
* 2.0 TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool
* 2.0 FILL_THIS_FORM_LONG Fill in a form with personal information
* 3.1 FROM_MISSP_FREEMAIL From misspaced + freemail provider
* 3.0 MONEY_FRAUD_3 Lots of money and several fraud phrases
But, it still didn't autolearn.
(I can post the entire spample if the above seems like it should have
autolearned.)
> Another possible factor, if you have "bayes_auto_learn_on_error" enabled,
> then autolearn will be skipped if Bayes already agrees with the condition of
> the message. IE: if the message is already classifed as BAYES_99 then it
> won't bother auto-learning it as yet another high-ranking spam.
I do not have that enabled. Also, as you can see from above, this hit BAYES_50.
Does the above provide an indication as to why it didn't autolearn?
Thanks!
--- Amir
