-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Aabash Gurung wrote: > Hi, > > I'm using spamassassin 3.1.1 in freebsd, default confugiration with fred > and xHash rules added. > > Hope the provided information is enough, let me know if you need more > information. > > Here's the few enties from maillog (I have removed rhost, raddr and > rport from enties) :- > > spamd: result: Y 39 - > BAYES_99,FH_FAKE_RCVD_LINE,FH_RELAY_NODNS,FM_MULTI_ODD2,FM_MULTI_ODD3,FM_MULTI_ODD4,FM_MULTI_ODD5,FORGED_MUA_AOL_FROM,MISSING_MIMEOLE,MSGID_SPAM_CAPS,RCVD_DOUBLE_IP_SPAM,RCVD_IN_NJABL_PROXY,RCVD_IN_XBL,RELAY_IS_222,REPTO_QUOTE_AOL,SUBJ_ILLEGAL_CHARS,UNPARSEABLE_RELAY,UPPERCASE_25_50,X_IP > scantime=3.4,size=2535,user=(unknown),uid=58,required_score=5.0,mid=<[EMAIL > PROTECTED]>,bayes=1,autolearn=spam > > spamd: result: Y 14 - AWL,BAYES_99,HOST_EQ_JP,HOST_EQ_NE_JP > scantime=11.9,size=3100,user=(unknown),uid=58,required_score=5.0,mid=<[EMAIL > PROTECTED]>,bayes=0.999999999998174,autolearn=no > > spamd: result: Y 11 - > AWL,BAYES_99,HOST_NMATCH_HELOCOM,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL > scantime=8.4,size=3194,user=(unknown),uid=58,required_score=5.0,mid=<[EMAIL > PROTECTED]>,bayes=1,autolearn=no > > spamd: result: Y 16 - AWL,BAYES_99,HOST_EQ_JP,HOST_EQ_NE_JP,NO_REAL_NAME > scantime=6.4,size=2155,user=(unknown),uid=58,required_score=5.0,mid=<[EMAIL > PROTECTED]>,bayes=0.999999999999984,autolearn=no > > spamd: result: Y 18 - > AWL,BAYES_60,HOST_EQ_JP,HOST_EQ_NE_JP,LONGWORDS,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL > scantime=7.0,size=3136,user=(unknown),uid=58,required_score=5.0,mid=<[EMAIL > PROTECTED]>,bayes=0.771130282178695,autolearn=spam > > spamd: result: Y 17 - > BAYES_99,FU_DOM_END_NUM,HOST_EQ_JP,HOST_EQ_NE_JP,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL > scantime=7.9,size=2698,user=(unknown),uid=58,required_score=5.0,mid=<[EMAIL > PROTECTED]>,bayes=0.999999999985072,autolearn=spam > > spamd: result: Y 15 - > AWL,BAYES_99,FB_4WORD_DOLLARe,FB_SINGLE_0WORD,FB_WORD_01DOLLAR1,FH_FROM_QUESTION,FM_MULTI_ODD2,FM_MULTI_ODD3,FM_MULTI_ODD4,FM_MULTI_ODD5,HOST_EQ_JP,HOST_EQ_NE_JP,OBSCURED_EMAIL,PLING_QUERY,UNPARSEABLE_RELAY > scantime=14.5,size=4836,user=(unknown),uid=58,required_score=5.0,mid=<[EMAIL > PROTECTED]>,bayes=1,autolearn=no > > spamd: result: Y 53 - > BAYES_99,FH_FROMEML_NOTLD,FH_RELAY_NODNS,FM_HIBIT_10,FM_HIBIT_13,FROM_ILLEGAL_CHARS,FROM_NO_LOWER,MIME_BASE64_NO_NAME,MIME_BASE64_TEXT,MIME_BOUND_DD_DIGITS,MIME_HEADER_CTYPE_ONLY,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,SUBJ_ILLEGAL_CHARS,UPPERCASE_50_75,URIBL_AB_SURBL,URIBL_BLACK,URIBL_JP_SURBL,URIBL_OB_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL,URI_END_IS_SHORT,X_MESSAGE_INFO > scantime=6.5,size=2304,user=(unknown),uid=58,required_score=5.0,mid=<[EMAIL > PROTECTED]>,bayes=0.999596128062585,autolearn=spam > > > And rules hits (from sa-stats.pl) > > TOP SPAM RULES FIRED > ---------------------------------------------------------------------- > > 1 BAYES_99 > 2 HTML_MESSAGE > 3 FM_NO_STYLE > 4 FF_BODY_140_IMGCID > 5 HTML_90_100 > 6 URIBL_BLACK > 7 HOST_EQ_D_D_D_D > 8 URIBL_JP_SURBL > 9 MIME_HTML_MOSTLY > 10 RCVD_IN_SORBS_DUL > 11 URIBL_OB_SURBL > 12 HTML_IMAGE_ONLY_08 > 13 AWL > 14 URIBL_SC_SURBL > 15 RCVD_IN_NJABL_DUL > 16 RCVD_IN_XBL > 17 URIBL_WS_SURBL > 18 FH_RELAY_NODNS > 19 HOST_NMATCH_HELONET > 20 URIBL_SBL > > > TOP HAM RULES FIRED > ---------------------------------------------------------------------- > > 1 AWL > 2 BAYES_00 > 3 HTML_MESSAGE > 4 HOST_NMATCH_HELOCOM > 5 NO_REAL_NAME > 6 FM_NO_STYLE > 7 MIME_HTML_ONLY > 8 BAYES_50 > 9 DK_SIGNED > 10 SPF_HELO_PASS > 11 SPF_PASS > 12 HOST_NMATCH_HELONET > 13 MISSING_SUBJECT > 14 DEAR_SOMETHING > 15 FH_RELAY_NODNS > 16 DK_VERIFIED > 17 FM_MULTI_ODD2 > 18 FORGED_RCVD_HELO > 19 DBL_12_LETTER_FLDR > 20 HOST_EQ_D_D_D_D > > > Sincerely, > > Aabash Gurung >
Aabash, if you expect email from .ne.jp and/or .jp domains, you'll probably want to set the scores of HOST_EQ_NE_JP and HOST_EQ_JP to 0. (I've personally never seen those rules, so they must be part of an add-on ruleset that you're using and I'm not) Also, if you're getting BAYES_99 and AWL hits alot, then your bayes training (and likely your auto-whitelist information) seems to be improperly trained. things like SUBJ_ILLEGAL_CHARS happens when someone doesn't properly MIME encode their subject line. (i.e. their mailer is misconfigured and they send raw japanese text as the subject) ... this goes the same for the From: value as well. you should also be careful about which add-on rulesets you use and make sure that they're not going to falsely trigger based on two-byte character sets. (some rulesets do not take two-byte character set languages into account and thus FP on ocassion) I've had pretty good success with a well trained (by hand) bayes database and really basic rulesets along with a few custom rulesets. hope this helps Alan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEnO7SE2gsBSKjZHQRAtVWAKCTOMgbOdBPIyjPV6Up/cKiO7qnsACeO99W 9jwdX1Qklycpb3Er0tKsnpQ= =leRX -----END PGP SIGNATURE-----
