RE: ocr plugin - lets some gif spams through?

Sat, 05 Aug 2006 16:04:34 -0700 

On Sat, 2006-08-05 at 14:38 -0700, Gary Funck wrote:
> Bill Randle wrote:
> > I don't have the OCR plugin installed, but am using the recently
> > posted ImageInfo plugin. This is what I get on spam-gif-1.txt:
> >
> > X-Spam-Status: Yes, score=20.6 required=5.0
> >   tests=BAYES_99,DC_GIF_MULTI_LARGO,EXTRA_MPART_TYPE,FORGED_RCVD_HELO,
> >   HTML_IMAGE_ONLY_32,HTML_MESSAGE,J_CHICKENPOX_27,J_CHICKENPOX_44,
> >   J_CHICKENPOX_72,SARE_GIF_ATTACH,TVD_FW_GRAPHIC_ID1,
> >   TVD_FW_GRAPHIC_NAME_LONG,TVD_FW_GRAPHIC_NAME_MID
> >   autolearn=no version=3.1.2
> 
> Hmmm, OK.  after adding in the ImageInfo plugin, I get the following
> (from spamassassin -t):
> 
> Content analysis details:   (7.4 points, 5.0 required)
> 
>  pts rule name              description
> ---- ---------------------- ------------------------------------------------
> --
>  0.8 EXTRA_MPART_TYPE       Header has extraneous Content-type:...type=
> entry
>  1.0 SPAMPIC_ALPHA_2        Image contains many alphanumeric chars
>  0.8 HTML_IMAGE_ONLY_32     BODY: HTML: images with 2800-3200 bytes of words
>  0.0 HTML_MESSAGE           BODY: HTML included in message
>  0.8 SARE_GIF_ATTACH        FULL: Email has a inline gif
>  4.0 DC_GIF_MULTI_LARGO     Message contains 4 or more inline gifs with a
>                             large area
> 
> The score of 4.0 is pretty agressive.   But given your scores above, I'd
> say that you have certain factors even more heavily weighted.  As far as
> SARE goes, I use a more conservative subset.  However, the conclusion
> is the same -- either I need to weight SPAMPIC_ALPHA_2 higher, or
> add the ImageInfo plugin into the mix (I'll probably lower its score to
> 1.5 or so.)

I use the default 4.0 for DC_GIF_MULTI_LARGO and upped the score for
BAYES_95 and BAYES_99. The TVD_XXX rules are also scored fairly heavily.

  1.1 EXTRA_MPART_TYPE Header has extraneous Content-type:...type= entry
  0.1 FORGED_RCVD_HELO Received: contains a forged HELO
  0.6 J_CHICKENPOX_27 BODY: 2alpha-pock-7alpha
  0.6 J_CHICKENPOX_72 BODY: 7alpha-pock-2alpha
  0.6 J_CHICKENPOX_44 BODY: 4alpha-pock-4alpha
  1.2 TVD_FW_GRAPHIC_NAME_MID BODY: TVD_FW_GRAPHIC_NAME_MID
  1.8 TVD_FW_GRAPHIC_NAME_LONG BODY: TVD_FW_GRAPHIC_NAME_LONG
  0.0 HTML_MESSAGE BODY: HTML included in message
  5.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
      [score: 0.9529]
  2.8 TVD_FW_GRAPHIC_ID1 BODY: TVD_FW_GRAPHIC_ID1
  1.1 HTML_IMAGE_ONLY_32 BODY: HTML: images with 2800-3200 bytes of
words
  0.8 SARE_GIF_ATTACH FULL: Email has a inline gif
  4.0 DC_GIF_MULTI_LARGO Message contains 4 or more inline gifs with a
      large area

Reply via email to