Jason Haar wrote:
Hi there
I just got a one-line piece of spam with a ipaddress-based URL.
Probably pointing at some "auto infect your Windows PC" app.
Anyway, it got a score of 0.1 out of 5 when it came in. 4 hours later
it had showed up in several RBLs and the score was pushed up to 4.9.
My question is that it triggered NORMAL_HTTP_TO_IP, but that only adds
0.1 to the score. That seems really low to me. Are there really so
many "legitimate" IP-based URLs being sent around via email that makes
a higher score a bad idea?
Yes. In fact, IP based URLs occur more commonly in nonspam than spam.
STATISTICS-set0.txt:OVERALL SPAM% HAM% S/O RANK SCORE NAME
STATISTICS-set0.txt: 0.395 0.3920 0.4001 0.495 0.42 0.10
NORMAL_HTTP_TO_IP
Note the S/O of 0.42 means that 42% of matches to this rule were spam,
and 58% were nonspam.