On 28 Apr 2021, at 9:54, Alex wrote:
Hi,
-1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen
list
manager
I have disabled his rule some time ago.
Many spammers use mailing list or their signatures.
Where is the score coming from for this rule? There isn't an explicit
"score" value associated with the rule.
Default score is 1 for 'spam' rules, -1 for 'nice' rules.
describe MAILING_LIST_MULTI Multiple indicators imply a
widely-seen list manager
meta MAILING_LIST_MULTI __HAS_X_LOOP + __HAS_X_MAILING_LIST +
__HAS_X_MAILMAN_VERSION + __HAS_LIST_ID + __HAS_X_BEEN_THERE
+__DOS_HAS_LIST_UNSUB + __ML1 + __ML3 + __ML4 + __ML5 > 2
tflags MAILING_LIST_MULTI nice
If everyone (figuratively speaking, I suppose) is disabling it,
Not figuratively, hyperbolically...
In my experience, most SA users never touch the scores of default rules.
wouldn't it be helpful to define it explicitly or see how it's doing
in masschecks?
As a ham-sign it is doing reasonably well. S/O is consistently <0.2.
It seems like it would be helpful to look at ways mailing lists are
manipulated by spammers more closely and perhaps find some anomalies
there.
It's very hard to analyze spam you never see. The last time I saw
MAILING_LIST_MULTI make the difference in a false negative was
2020-11-12. That was also the last time it hit anything that scored less
than 6 that wasn't a FP, i.e. where it was too weak to save ham from the
pit. Most of the spam it hits for me scores so high that I keep nothing
of it but log entries.
The one FN from last November that I do have is problematic for
identifying any FN pattern. Aside from being a single example, its
idiosyncrasies are due to a tool that is in broad use by both spammers
and non-spammers.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire