On Thursday July 13 2006 9:28 am, Jack Gostl wrote: > ----- Original Message ----- > From: "Steven Stern" <[EMAIL PROTECTED]> > To: "Spamass" <users@spamassassin.apache.org> > Sent: Wednesday, July 12, 2006 4:31 PM > Subject: Re: Image only spam > > > Jack Gostl wrote: > >> Thanks for the response. > >> > >> Take it slow with me, spamassassin has been running so well for > >> so long that I haven't had to fiddle with it in ages and I don't > >> remember the details. Do I add these rules to my user_prefs? Or > >> to my /etc/mail/local.cf files? > >> > >> ----- Original Message ----- From: "Steven Stern" > >> <[EMAIL PROTECTED]> > >> To: "Spamass" <users@spamassassin.apache.org> > >> Sent: Wednesday, July 12, 2006 9:13 AM > >> Subject: Re: Image only spam > >> > >>> Jack Gostl wrote: > >>>> I'm running SpamAssassin version 3.0.3 running on Perl > >>>> version 5.8.2 under AIX 5.3. Starting a few months ago, I have > >>>> been absolutely inundated with "image only spam". I've gone > >>>> from catching 99% of the spam with almost no false positives > >>>> to less than 85%. I asked about this > >>>> awhile ago, and tried to upgrade to SpamAssassin version 3.1.1 > >>>> running > >>>> on Perl version 5.8.0, and didn't see much improvement, so I > >>>> left the prod machine alone. > >>>> > >>>> I'm sure I'm not the only one with this problem. Has anyone > >>>> had any success with it? > >>>> > >>>> Thanks... > >>>> > >>>> Jack > >>> > >>> Are you using the SARE_STOCK rules from RulesDuJour at > >>> rulesemporium.com? We catch more than 99% of the image only > >>> stuff with the standard RBLs and 70_sare_stock.cf. > >>> > >>> In case you ask, these are the SARE rules we're using: > >>> > >>> TRUSTED_RULESETS="SARE_GENLSUBJ0 SARE_OBFU > >>> SARE_REDIRECT_POST300 SARE_ADULT SARE_HEADER0 SARE_CODING > >>> SARE_SPECIFIC SARE_SPOOF SARE_FRAUD SARE_WHITELIST_SPF > >>> SARE_WHITELIST_RCVD SARE_URI0 SARE_OEM SARE_STOCKS"; > >>> > >>> -- > >>> > >>> Steve > > > > Hop over to the Rules Emporium (http://rulesemporium.com) and > > read about RulesDuJour. Install that and set up cron job to look > > for updates once a day. That's about it. It's about 30 minutes > > of think work up front to understand the documentation and > > install it. After that, set it and forget it. > > > > http://www.exit0.us/index.php?pagename=RulesDuJour > > > > I think you'll be happy with the trusted ruleset line above. > > wanted to tell you how this all turned out. > > I installed the new rules, incorrectly as Dimitri observed, and > then restarted spamassassin. (spamd actually). The spam capture > rate has zoomed from 85% into the high 90s. Looking back I see that > we replaced our processor about a year ago, and have been > exceptionally stable since then. We haven't IPLed in almost a year, > which also means that spamassassin probably hasn't been started in > almost as long. > > Obviously the new rules weren't the reason for the improvement, > since they were installed wrong. So it must have been the restart. > This makes me wonder, was it a "corruption", or is there a > cumulative effect. I wonder if anyone has any thoughts on that.
It appears that you were using only the SA default rules. Now, these are pretty good, but I think most would agree that you want to supplement these with SARE rulesets, and prehaps bayes, DCC, razor, and pyzor (or some combination thereof). Then, you've got a pretty tight system. Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
