On 2024-05-11 at 14:26:59 UTC-0400 (Sat, 11 May 2024 20:26:59 +0200)
Thomas Barth <tba...@txbweb.de>
is rumored to have said:
Hello
Am 2024-05-11 19:24, schrieb Loren Wilton:
Can I just take the names of the rules?
e.g. at least two checks should fire:
meta MULTIPLE_TESTS (( RAZOR2_CF_RANGE_51_100 + RAZOR2_CHECK +
URIBL_ABUSE_SURBL) > 1)
score MULTIPLE_TESTS 1
found in
X-Spam-Status: No, score=5.908 tagged_above=2 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, FSL_BULK_SIG=0.001,
HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=2.43,
RAZOR2_CHECK=1.729,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_ABUSE_SURBL=1.948]
Why is your score threshold for spam 6.31? By default it is 5, and
that message would have been spam.
6.31 has been the default value on a Debian system for ages and is
based on the experience of the “spam analysts”. That's how I
remember it. I have therefore retained this value. Who introduced the
default value of 5? Spamassassin itself, because spam is getting
better and better and fewer rules apply?
5.0 has been the default threshold in the distribution forever and that
value is an assumption in the dynamic scoring and RuleQA service which
adjusts scores to their optimal values daily based on the latest results
submitted by masscheck contributors.
I have no idea who the Debian "spam analysts" are but I am certain that
they are not doing any sort of data-driven dynamic adjustments of scores
based on a threshold of 6.3 nor are they (obviously) adjusting that
threshold daily based on current scores. The only reason I can see for
boosting the threshold is if there is an additional set of rules being
used with a significant number of the non-standard low-S/O rules. For
example, if you use KAM rules (which are not part of the RuleQA process)
you will have a lot of rule hits on legit mail and you can either boost
the threshold or do a lot of local-specific FP mitigation.
On systems I manage I mostly use a *lower* threshold, because I apply
more active site-specific rule management (and FP avoidance) than most
systems ever receive.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire