On Thu, 2010-03-11 at 09:11 -0500, Carlos Mennens wrote: > On Thu, Mar 11, 2010 at 8:46 AM, Martin Gregorie <mar...@gregorie.org> wrote: > > That 'male enhancement junk' advert may well contain something that > > could be the basis of an additional rule - don't omit *anything* in > > future, at least until you understand how to write custom rules. > > Spammers often use an algorithm to generate their destination websites. > > This algorithm often generates patterns that can be matched with an SA > > rule. However, it may be reasonable to obscure your own and/or your > > user's address, e.g. by changing it to u...@example.com. > > I did omit my user and domain. That is a test domain I own but doesn't > route nor is it in production. It is not the domain I am actually > using live. > > > In fact, when I ran your message through SA 3.3.0 the standard rules > > gave a score of 5.2 even without the body text. That is enough to treat > > it as spam if you were using the default required score. Why did you > > change your required score to 6.3? That is a pretty specific value. > > I don't understand this. If you ran my exact same message through SA > and got a score of 5.2 (omitting the actual URL), how come my headers > show a score of 0? > > X-spam-status: No, score=0.0 required=6.3 tests=FREEMAIL_FROM, > RCVD_IN_DNSWL_NONE,TVD_SPACE_RATIO,T_DKIM_INVALID autolearn=ham > version=3.3.0 > Here's my result:
X-Spam-Status: No, score=3.5 required=6.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED RCVD_IN_DNSWL_NONE,TVD_SPACE_RATIO,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=no version=3.3.0 This gives a lower score than the truncated message you first posted, mainly because your truncation caused INVALID_DATE,MISSING_HEADERS and T_TO_NO_BRKTS_FREEMAIL to fire and suppressed TVD_SPACE_RATIO. > As for me, I don't think I changed any values but perhaps my memory is > not serving me well. I checked my /etc/mail/spamassassin/local.cf file > and I show: > > rewrite_header Subject *****SPAM***** > required_score 6.31 > report_safe 1 > use_bayes 1 > use_bayes_rules 1 > bayes_auto_learn 1 > You certainly changed the required score: the default is 5.0. The standard rule scores are set on that basis. Mine are: required_score 6.0 rewrite_header subject SPAM: report_safe 1 use_bayes 1 bayes_auto_learn 1 skip_rbl_checks 0 use_auto_whitelist 0 use_razor2 0 use_pyzor 0 ok_locales en fr de > Is this wrong? Should I change this to reflect something else? I think > this was the default when I installed and configured SA on my server. > Are you certain you have internal_networks and trusted_networks set correctly? I think there's a good chance that the maturanaperforaciones.com domain was either abandoned or hijacked. It: - has a website that seems curiously unresponsive - has two MX records - gives the registrar as contact and tech. contact - was registered 27-Apr-07 and expires 27-Apr-10 IOW its not a spammer's throw-away or taster URL. If you see any more messages from it, a 'uri' rule setting a score of 6 or more might be worthwhile. Martin
