The reason I brought this issue up on list a couple weeks back is because almost all of my uncaught (FN) spam hits that rule and almost nothing else. Maybe my domain is in the beginning of the popular snowshoe lists. In principle my Bayes should catch these guys but it doesn’t, and I don’t know why... when I train the DB and then re-run the messages, they hit BAYES_99, so clearly the training is working... maybe the messages are just changing enough each time that they don’t hit, I dunno, but it’s very frustrating.
Sometimes this is just an add-on to a big scorer, if it’s late enough that RBLs have gotten hit by the bot run... but early in the run this is the only rule that fires reliably in my system with these spams. I’ve scored it 4.5 locally. I’ll post spamples later tonight. (And if anyone can debug why my Bayes doesn’t want to pick these up, that’d be awesome... but maybe it’s just a frequency problem.) Thanks. --- Amir thumbed via iPhone > On May 29, 2019, at 6:47 PM, Kevin A. McGrail <kmcgr...@apache.org> wrote: > > I'd be interested in seeing a spample or two. We have virtually no hits but > if it's in the wild, that changes my opinion. The key thing I would want to > know is does this rule push it over the edge or is it already scoring a > bazillion and this just adds to it? > -- > Kevin A. McGrail > Member, Apache Software Foundation > Chair Emeritus Apache SpamAssassin Project > https://www.linkedin.com/in/kmcgrail - 703.798.0171 > > >> On Wed, May 29, 2019 at 7:44 PM Amir Caspi <ceph...@3phase.com> wrote: >> I’m surprised, a huge percentage of the spam we get hits this rule. I am >> happy to submit spamples, but it is a very big spam indicator for our little >> server. >> >> --- Amir >> thumbed via iPhone >> >>> On May 29, 2019, at 6:10 PM, Kevin A. McGrail <kmcgr...@apache.org> wrote: >>> >>> At work, we looked at this and decided the rule had no merit based on >>> current mailstreams. Our guess was that the spam run it hit has ended. It >>> is a deadweight rule. >>> >>>> On Wed, May 29, 2019, 18:05 John Hardin <jhar...@impsec.org> wrote: >>>> On Thu, 16 May 2019, John Hardin wrote: >>>> >>>> > On Thu, 16 May 2019, Amir Caspi wrote: >>>> > >>>> >> On Apr 26, 2019, at 4:51 PM, RW <rwmailli...@googlemail.com> wrote: >>>> >>> >>>> >>> header BOGUS_MIME_VERSION MIME-Version =~ /^(?!\s*1\.0).+/ >>>> >>> >>>> >>> it may be better to change that to >>>> >>> >>>> >>> /^(?!.*\b1\.0\b).+/ >>>> >>> >>>> >>> to avoid punishing the form >>>> >>> >>>> >>> Mime-Version: (Nosuch Mail 2.0) 1.0 >>>> >>> >>>> >>> which is valid, though I don't think I've ever seen it (comments are >>>> >>> usually on the right). >>>> >> >>>> >> John, so many of my spams are hitting BOGUS_MIME_VERSION that I would >>>> >> imagine it's worth sandboxing and incorporating into the primary >>>> >> ruleset. >>>> > >>>> > I've added both versions as unscored rules so we can see how they >>>> > perform. >>>> >>>> Masscheck doesn't think much of them: >>>> >>>> https://ruleqa.spamassassin.org/20190529-r1860321-n/__BOGUS_MIME_VER_01/detail >>>> https://ruleqa.spamassassin.org/20190529-r1860321-n/__BOGUS_MIME_VER_02/detail >>>> >>>> The good news is their S/O is 1.00 (not that that means much given the >>>> small hit rate), and the bulk of the spams they hit currently score zero. >>>> >>>> We could manually push them with score = 1.000, and let local admins >>>> decide whether to adjust the score. >>>> >>>> Opinions solicited. >>>> >>>> -- >>>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/ >>>> jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org >>>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 >>>> ----------------------------------------------------------------------- >>>> We have to realize that people who run the government can and do >>>> change. Our society and laws must assume that bad people - >>>> criminals even - will run the government, at least part of the >>>> time. -- John Gilmore >>>> ----------------------------------------------------------------------- >>>> 8 days until the 75th anniversary of D-Day
