On Feb 23, 2018, at 11:47 PM, David B Funk <dbf...@engineering.uiowa.edu> wrote: > It could have 20 points from a whole bunch of body rules but if it only hit 2 > points via header rules it still will not auto-learn.
Gotcha. The spam in question that triggered this hit a lot of rules, but hard for me to tell on cursory inspection whether it satisfies sufficient header and body points. But it LOOKS like there should be at least 3 points from header (MISSING_HEADERS, FREEMAIL_FORGED_REPLYTO, among others) and certainly 3 body (MONEY_FRAUD_3 at the very least). The actual spam report is this: * 0.0 FSL_CTYPE_WIN1251 Content-Type only seen in 419 spam * 0.0 NSL_RCVD_FROM_USER Received from User * 1.0 MISSING_HEADERS Missing To: header * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5004] * 1.1 DCC_CHECK Detected as bulk mail by DCC (dcc-servers.net) * 0.0 FROM_MISSP_MSFT From misspaced + supposed Microsoft tool * 0.0 FSL_NEW_HELO_USER Spam's using Helo and User * 2.6 MSOE_MID_WRONG_CASE No description available. * 0.0 FROM_MISSP_USER From misspaced, from "User" * 1.0 RDNS_DYNAMIC Delivered to internal network by host with * dynamic-looking rDNS * 0.0 LOTS_OF_MONEY Huge... sums of money * 0.0 FROM_MISSP_XPRIO Misspaced FROM + X-Priority * 1.6 REPLYTO_WITHOUT_TO_CC No description available. * 0.0 AXB_XMAILER_MIMEOLE_OL_024C2 Yet another X header trait * 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay * 0.0 FSL_BULK_SIG Bulk signature with no Unsubscribe * 2.1 FREEMAIL_FORGED_REPLYTO Freemail in Reply-To, but not From * 1.0 FREEMAIL_REPLYTO Reply-To/From or Reply-To/body contain different * freemails * 0.0 TO_NO_BRKTS_FROM_MSSP Multiple header formatting problems * 1.9 FORGED_MUA_OUTLOOK Forged mail pretending to be from MS Outlook * 1.6 TO_NO_BRKTS_DYNIP To: lacks brackets and dynamic rDNS * 0.0 FILL_THIS_FORM Fill in a form with personal information * 2.0 TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool * 2.0 FILL_THIS_FORM_LONG Fill in a form with personal information * 3.1 FROM_MISSP_FREEMAIL From misspaced + freemail provider * 3.0 MONEY_FRAUD_3 Lots of money and several fraud phrases But, it still didn't autolearn. (I can post the entire spample if the above seems like it should have autolearned.) > Another possible factor, if you have "bayes_auto_learn_on_error" enabled, > then autolearn will be skipped if Bayes already agrees with the condition of > the message. IE: if the message is already classifed as BAYES_99 then it > won't bother auto-learning it as yet another high-ranking spam. I do not have that enabled. Also, as you can see from above, this hit BAYES_50. Does the above provide an indication as to why it didn't autolearn? Thanks! --- Amir