Re: New rule for HTML spam, using comments?

Thu, 13 Jun 2013 17:22:39 -0700 

At 8:04 PM -0400 06/13/2013, Alex wrote:

After looking at it more closely, it's also only hitting bayes20 for
you. Do the others also score so low? This hits bayes99 on my system.



The ones that SA doesn't catch, yes, they are typically low.  I have 
some that are bayes50, some bayes20, some bayes00.  Any that are 
bayes99 are almost certainly in my spam folder and I'm typically not 
looking at them (I don't have that much time to look at spam, so I 
prefer to look at FN rather than TP).



It's quite possible my Bayes DB is simply not sufficiently populated. 
I've trained it on about 750 FN spams over the last few weeks, but 
otherwise it's been mostly autolearning over the last 5 years or so. 
(As I said, I only recently started to get into the guts of SA, due 
to the increasing spam problem.)  On the upside, I get zero FPs even 
with a spam threshold of 5, but I'm clearly getting a lot of FNs.



It also hits the "LONGWORDS" rule and "MIME_NO_TEXT", pushing it over
to be spam. Have you otherwise modified the body?



The only thing I did to the body was to change potentially unique 
identifying strings in the URIs (just in case the spammer can look 
that pastebin up and track those strings to my email address and DoS 
or super-spam me... I am paranoid, I know, but figured it was easy 
enough to change the URI).  Those were just replaced with XXXXXXX 
appropriately.  The body is otherwise completely unmodified, and only 
the headers were slightly modified (again just to change host/email 
and other potentially unique identifiers).



I'm not sure why those rules are hitting for you and not for me.  I 
wonder if something is misconfigured on my installation.  I should 
disclose that my installation is on a Parallels Pro Control Panel 
machine... PPCP ships with an SA rpm, but I've updated it with the 
version from RPMforge (spamassassin-3.3.1-3.el5.rf, which is the 
latest one on that repo).  sa-update is run nightly via cron.


Any way to figure out why your rules are popping and mine aren't?


The domain is also now listed in at least three RBLs.



By now, I expect so... I reported this spam to SpamCop (as I have 
been doing with all FN spam in the last month or so).


Thanks.

                                                --- Amir























					Reply via email to