I've been very pleased with SURBL in SA3 and I'd like to increase the scores. However, I don't understand how the default scores like this work:
rules/50_scores.cf:score URIBL_AB_SURBL 0 2.007 0 0.417 rules/50_scores.cf:score URIBL_OB_SURBL 0 1.996 0 3.213 rules/50_scores.cf:score URIBL_PH_SURBL 0 0.839 0 2.000 rules/50_scores.cf:score URIBL_SC_SURBL 0 3.897 0 4.263 rules/50_scores.cf:score URIBL_WS_SURBL 0 0.539 0 1.462
I feel SA is being too conservative with the resource that SURBL provides. Can anyone give me their recommendations for my local configuration file for replacement scores that will be more effective?
And since I couldn't find it referenced, can anyone tell me what the four numbers after the score mean?
Regards, KAM
I have my rules set as this:
score URIBL_AB_SURBL 50
Thus, no matter what mode you are running in, SA scores this rule 50 points. Put these in /etc/mail/spamassassin/local.cf or other .cf file in this folder.
Dan Zachary
Kevin A. McGrail wrote:
I've been very pleased with SURBL in SA3 and I'd like to increase the scores. However, I don't understand how the default scores like this work:
rules/50_scores.cf:score URIBL_AB_SURBL 0 2.007 0 0.417 rules/50_scores.cf:score URIBL_OB_SURBL 0 1.996 0 3.213 rules/50_scores.cf:score URIBL_PH_SURBL 0 0.839 0 2.000 rules/50_scores.cf:score URIBL_SC_SURBL 0 3.897 0 4.263 rules/50_scores.cf:score URIBL_WS_SURBL 0 0.539 0 1.462
I feel SA is being too conservative with the resource that SURBL provides. Can anyone give me their recommendations for my local configuration file for replacement scores that will be more effective?
And since I couldn't find it referenced, can anyone tell me what the four numbers after the score mean?
Regards, KAM
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Wednesday, May 18, 2005, 6:44:05 AM, Spam Admin wrote:
spam link.
http://www.kexmt.move.fresh-deals.net/go/g/31/2869/1/?3495564
Dan Zachary
Hi Dan, This is a recently registered domain (a couple weeks ago) but it doesn't seem to resolve into spaces that are known to be spammy. That may just mean spammers have moved into a new network space, etc.
However there are a number of odd things about this domain from the registration, to the host's registration, etc. And it doesn't seem to resolve currently.
Is anyone else seeing this in spams?
Jeff C. -- Don't harm innocent bystanders.
On Wed, 18 May 2005, Jeff Chan wrote:
On Wednesday, May 18, 2005, 6:44:05 AM, Spam Admin wrote:
spam link.
http://www.kexmt.move.fresh-deals.net/go/g/31/2869/1/?3495564
Dan Zachary
Hi Dan, This is a recently registered domain (a couple weeks ago) but it doesn't seem to resolve into spaces that are known to be spammy. That may just mean spammers have moved into a new network space, etc.
However there are a number of odd things about this domain from the registration, to the host's registration, etc. And it doesn't seem to resolve currently.
Is anyone else seeing this in spams?
Jeff C.
Jeff, I've been getting spam containing that URL and other 'sisters' (such as "dealstoday.net").
They have major spam-sign hallmarks:
The payload is a few lines of HTML that reference images with the ad "message" and then massive amounts of "Bayes poison" hidden by HTML comments or CSS tricks (style="visibility:hidden"), bogus HTML (large amounts of text after the closing </HTML> tag), as well as being sent to stale local addresses.
Examples available upon request. ;)
On Friday, May 20, 2005, 6:51:26 PM, David Funk wrote:
On Wed, 18 May 2005, Jeff Chan wrote:
On Wednesday, May 18, 2005, 6:44:05 AM, Spam Admin wrote:
spam link.
http://www.kexmt.move.fresh-deals.net/go/g/31/2869/1/?3495564
Dan Zachary
Hi Dan, This is a recently registered domain (a couple weeks ago) but it doesn't seem to resolve into spaces that are known to be spammy. That may just mean spammers have moved into a new network space, etc.
However there are a number of odd things about this domain from the registration, to the host's registration, etc. And it doesn't seem to resolve currently.
Is anyone else seeing this in spams?
Jeff C.
Jeff, I've been getting spam containing that URL and other 'sisters' (such as "dealstoday.net").
They have major spam-sign hallmarks:
The payload is a few lines of HTML that reference images with the ad "message" and then massive amounts of "Bayes poison" hidden by HTML comments or CSS tricks (style="visibility:hidden"), bogus HTML (large amounts of text after the closing </HTML> tag), as well as being sent to stale local addresses.
Examples available upon request. ;)
A good way to get these listed is to use SpamCop and/or report them on the SURBL checker page:
http://www.spamcop.net/ http://www.rulesemporium.com/cgi-bin/uribl.cgi
That helps get people and programs checking them.
This suggestion is for Dan Zachary too. :-)
OTOH, it's good to hear about FNs (false negatives - missed spams) so we can research them to find ways to include them. Note that we want examples that are 100% spammy, ideally owned by criminal spam gangs.
Jeff C. -- Don't harm innocent bystanders.
Truthfully, I was looking for something a bit more conservative that still reflected the possibility of a false-positive here and there ;-) ----- Original Message ----- From: "Spam Admin" spam_admin@sil.org To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Wednesday, May 18, 2005 9:22 AM Subject: Re: [SURBL-Discuss] Question about scoring in SA3
I have my rules set as this:
score URIBL_AB_SURBL 50
Thus, no matter what mode you are running in, SA scores this rule 50
points. Put these in /etc/mail/spamassassin/local.cf or other .cf file in this folder.
Dan Zachary
Kevin A. McGrail wrote:
I've been very pleased with SURBL in SA3 and I'd like to increase the scores. However, I don't understand how the default scores like this
work:
rules/50_scores.cf:score URIBL_AB_SURBL 0 2.007 0 0.417 rules/50_scores.cf:score URIBL_OB_SURBL 0 1.996 0 3.213 rules/50_scores.cf:score URIBL_PH_SURBL 0 0.839 0 2.000 rules/50_scores.cf:score URIBL_SC_SURBL 0 3.897 0 4.263 rules/50_scores.cf:score URIBL_WS_SURBL 0 0.539 0 1.462
I feel SA is being too conservative with the resource that SURBL
provides.
Can anyone give me their recommendations for my local configuration file
for
replacement scores that will be more effective?
And since I couldn't find it referenced, can anyone tell me what the four numbers after the score mean?
Regards, KAM
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Wednesday, May 18, 2005, 6:54:02 AM, Kevin McGrail wrote:
Truthfully, I was looking for something a bit more conservative that still reflected the possibility of a false-positive here and there ;-)
One of the reasons the scores are below the default spam threshold of 5 is to take into account the possibility of false positives. The Bayesean math lets SpamAssassin score many different features of spam to make the determination. It certainly is possible to score some features higher than 5, which I do myself, but it should probably be evaluated in the context of the local installation.
Cheers,
Jeff C. -- Don't harm innocent bystanders.
*This describes the four scoring numbers ....* ** ** *score SYMBOLIC_TEST_NAME n.nn [ n.nn n.nn n.nn ]* Assign scores (the number of points for a hit) to a given test. Scores can be positive or negative real numbers or integers. |SYMBOLIC_TEST_NAME| http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html#item_symbolic_test_name is the symbolic name used by SpamAssassin for that test; for example, 'FROM_ENDS_IN_NUMS'.
If only one valid score is listed, then that score is always used for a test.
If four valid scores are listed, then the score that is used depends on how SpamAssassin is being used. The first score is used when both Bayes and network tests are disabled (score set 0). The second score is used when Bayes is disabled, but network tests are enabled (score set 1). The third score is used when Bayes is enabled and network tests are disabled (score set 2). The fourth score is used when Bayes is enabled and network tests are enabled (score set 3).
Setting a rule's score to 0 will disable that rule from running.
If any of the score values are surrounded by parenthesis '()', then all of the scores in the line are considered to be relative to the already set score. ie: '(3)' means increase the score for this rule by 3 points in all score sets. '(3) (0) (3) (0)' means increase the score for this rule by 3 in score sets 0 and 2 only.
If no score is given for a test by the end of the configuration, a default score is assigned: a score of 1.0 is used for all tests, except those who names begin with 'T_' (this is used to indicate a rule in testing) which receive 0.01.
Note that test names which begin with '__' are indirect rules used to compose meta-match rules and can also act as prerequisites to other rules. They are not scored or listed in the 'tests hit' reports, but assigning a score of 0 to an indirect rule will disable it from running.
Kevin A. McGrail wrote:
I've been very pleased with SURBL in SA3 and I'd like to increase the scores. However, I don't understand how the default scores like this work:
rules/50_scores.cf:score URIBL_AB_SURBL 0 2.007 0 0.417 rules/50_scores.cf:score URIBL_OB_SURBL 0 1.996 0 3.213 rules/50_scores.cf:score URIBL_PH_SURBL 0 0.839 0 2.000 rules/50_scores.cf:score URIBL_SC_SURBL 0 3.897 0 4.263 rules/50_scores.cf:score URIBL_WS_SURBL 0 0.539 0 1.462
I feel SA is being too conservative with the resource that SURBL provides. Can anyone give me their recommendations for my local configuration file for replacement scores that will be more effective?
And since I couldn't find it referenced, can anyone tell me what the four numbers after the score mean?
Regards, KAM
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Thanks very much!
----- Original Message ----- From: "Spam Admin" spam_admin@sil.org To: "SURBL Discussion list" discuss@lists.surbl.org Sent: Wednesday, May 18, 2005 9:46 AM Subject: Re: [SURBL-Discuss] Question about scoring in SA3
*This describes the four scoring numbers ....* ** ** *score SYMBOLIC_TEST_NAME n.nn [ n.nn n.nn n.nn ]* Assign scores (the number of points for a hit) to a given test. Scores can be positive or negative real numbers or integers. |SYMBOLIC_TEST_NAME|
is the symbolic name used by SpamAssassin for that test; for example, 'FROM_ENDS_IN_NUMS'. If only one valid score is listed, then that score is always used for a test. If four valid scores are listed, then the score that is used depends on how SpamAssassin is being used. The first score is used when both Bayes and network tests are disabled (score set 0). The second score is used when Bayes is disabled, but network tests are enabled (score set 1). The third score is used when Bayes is enabled and network tests are disabled (score set 2). The fourth score is used when Bayes is enabled and network tests are enabled (score set 3). Setting a rule's score to 0 will disable that rule from running. If any of the score values are surrounded by parenthesis '()', then all of the scores in the line are considered to be relative to the already set score. ie: '(3)' means increase the score for this rule by 3 points in all score sets. '(3) (0) (3) (0)' means increase the score for this rule by 3 in score sets 0 and 2 only. If no score is given for a test by the end of the configuration, a default score is assigned: a score of 1.0 is used for all tests, except those who names begin with 'T_' (this is used to indicate a rule in testing) which receive 0.01. Note that test names which begin with '__' are indirect rules used to compose meta-match rules and can also act as prerequisites to other rules. They are not scored or listed in the 'tests hit' reports, but assigning a score of 0 to an indirect rule will disable it from running.Kevin A. McGrail wrote:
I've been very pleased with SURBL in SA3 and I'd like to increase the scores. However, I don't understand how the default scores like this
work:
rules/50_scores.cf:score URIBL_AB_SURBL 0 2.007 0 0.417 rules/50_scores.cf:score URIBL_OB_SURBL 0 1.996 0 3.213 rules/50_scores.cf:score URIBL_PH_SURBL 0 0.839 0 2.000 rules/50_scores.cf:score URIBL_SC_SURBL 0 3.897 0 4.263 rules/50_scores.cf:score URIBL_WS_SURBL 0 0.539 0 1.462
I feel SA is being too conservative with the resource that SURBL
provides.
Can anyone give me their recommendations for my local configuration file
for
replacement scores that will be more effective?
And since I couldn't find it referenced, can anyone tell me what the four numbers after the score mean?
Regards, KAM
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
Discuss mailing list Discuss@lists.surbl.org http://lists.surbl.org/mailman/listinfo/discuss
On Wednesday, May 18, 2005, 5:52:30 AM, Kevin McGrail wrote:
I've been very pleased with SURBL in SA3 and I'd like to increase the scores. However, I don't understand how the default scores like this work:
rules/50_scores.cf:score URIBL_AB_SURBL 0 2.007 0 0.417 rules/50_scores.cf:score URIBL_OB_SURBL 0 1.996 0 3.213 rules/50_scores.cf:score URIBL_PH_SURBL 0 0.839 0 2.000 rules/50_scores.cf:score URIBL_SC_SURBL 0 3.897 0 4.263 rules/50_scores.cf:score URIBL_WS_SURBL 0 0.539 0 1.462
I feel SA is being too conservative with the resource that SURBL provides. Can anyone give me their recommendations for my local configuration file for replacement scores that will be more effective?
And since I couldn't find it referenced, can anyone tell me what the four numbers after the score mean?
Here's a reference for the four values once mentioned on the SpamAssassin Users list by Theo in response to my own similar question:
$ perldoc Mail::SpamAssassin::Conf [...] If four valid scores are listed, then the score that is used depends on how SpamAssassin is being used. The first score is used when both Bayes and network tests are disabled (score set 0). The second score is used when Bayes is disabled, but network tests are enabled (score set 1). The third score is used when Bayes is enabled and network tests are disabled (score set 2). The fourth score is used when Bayes is enabled and network tests are enabled (score set 3).
You're certainly free to increase or decrease any scores you like. In case it's of interest the scores are set using a type of neural net called a perceptron in order to optimize them against the SpamAssassin test corpora. These default scores tend to work well, but everyone's own local corpora of spam and ham may be different.
I'm sure the folks on the SpamAssasin list may have more thoughts about this.
Cheers,
Jeff C. -- Don't harm innocent bystanders.
"Kevin A. McGrail" wrote:
I've been very pleased with SURBL in SA3 and I'd like to increase the scores. However, I don't understand how the default scores like this work:
rules/50_scores.cf:score URIBL_AB_SURBL 0 2.007 0 0.417 rules/50_scores.cf:score URIBL_OB_SURBL 0 1.996 0 3.213 rules/50_scores.cf:score URIBL_PH_SURBL 0 0.839 0 2.000 rules/50_scores.cf:score URIBL_SC_SURBL 0 3.897 0 4.263 rules/50_scores.cf:score URIBL_WS_SURBL 0 0.539 0 1.462
I feel SA is being too conservative with the resource that SURBL provides. Can anyone give me their recommendations for my local configuration file for replacement scores that will be more effective?
I've had the following in production since ~May 2004 (2.64 patched for SURBL support):
score SPAMCOP_URI_RBL_SC 2 score SPAMCOP_URI_RBL_WS 2.0 score SPAMCOP_URI_RBL_PH 3 score SPAMCOP_URI_RBL_OB 1 score SPAMCOP_URI_RBL_AB 2
And one more SURBL listing: (Don't recall the origin; check the SURBL website) score SPAMCOP_URI_RBL_JP 2
IIRC I had SC, OB, and AB all scored higher at one point, but ran into occasional FP problems. In an ISP environment, that's a Very Bad Thing. :/
On my personal server, I've set all of them to 4.
I also have a well-trained global Bayes db on both servers (one "regular" ISP customers, one domain hosting) - I've never had to wipe the Bayes files and start over. You might want to copy the BAYES_nn scores from 2.64; the 3.0.x BAYES_nn scores seem to have been lowered quite a bit and from the SA list traffic, seem to have caused a lot of FNs. (Just one of several reasons I haven't upgraded my 2.64 machines. They're working Just Fine Thanks.)
On top of that, I maintained a local SURBL-style list of domains found in FNs reported by customers. <g> I haven't added anything to it in a long time, although I do continue to feed Bayes with the (far smaller) number of customer reports of FNs and the (VERY) rare FP.
And since I couldn't find it referenced, can anyone tell me what the four numbers after the score mean?
They represent the four combinations possible with/without network tests and with/without Bayes.
1st: No network, no Bayes 2nd: Network enabled, no Bayes 3rd: No network, Bayes enabled 4th: Network enabled, Bayes enabled
-kgd
-
David B Funk -
Jeff Chan -
Kevin A. McGrail -
Kris Deugau -
Spam Admin