Jari Fredriksson wrote: > 1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL > 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL > 1.7 RCVD_IN_HOSTKARMA_BL RBL: HostKarma: relay in black list > 0.0 PRICES_ARE_AFFORDABLE BODY: Message says that prices aren't too > 0.3 KHOP_HELO_FCRDNS Relay HELO differs from its IP's reverse DNS > 1.2 KHOP_2IPS_RCVD Received: Relay identifies itself as wrong IP > 6.0 L_TAB_IN_FROM L_TAB_IN_FROM > 4.0 BOTNET Relay might be a spambot or virusbot > 2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95% > 1.0 HTML_MESSAGE BODY: HTML included in message > 2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL
Of those 20.2 points, 2.9 are from stock SA, and the 2.0 from Bayes doesn't count in helping people's configs. HTML_MESSAGE is dangerous to bump up to 1.0 ... MIME_HTML_ONLY (1.5) takes care of most of the HTML-based spam, while HTML_MESSAGE will trip over almost everything (it hit 87% of the masscheck spam but also hit 27% of the ham), see http://ruleqa.spamassassin.org/week/HTML_MESSAGE/detail Of the remaining points, my channels (see link in my sig) contributed 6.2 by bringing in BRBL and HostKarma (plus DNSBL_BUMP) plus my other rules like 2IPS (though the original post had "IN_BCUDA_RBL" plus some rules penalizing mail from New Zealand). The rest comes from BotNet and whatever L_TAB_IN_FROM is. Google directs me to a post to this list from two months ago (2009/08/22 18:19 UTC and 2009/08/06 20:50 UTC, both from Mike Cappella). A score of 6 is FREAKISHLY high, even for something with a very low FP rate. I'd score that around 1.2 if I trusted it. I like it, so I'm throwing it in khop-general as MC_TAB_IN_FROM scoring at 0.6 for now: # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19 header MC_TAB_IN_FROM From:raw =~ /^\t/m describe MC_TAB_IN_FROM From: Contains a tab score MC_TAB_IN_FROM 0.6 # 20091015, considering bump to 1.2 -- Adam Katz khopesh on irc://irc.freenode.net/#spamassassin http://khopesh.com/Anti-spam
