Re: *Please* fix spamassassin's score configuration
On Fri, Dec 27, 2002 at 11:48:49AM +0100, Emile van Bergen wrote:
> Hi,
>
> On Fri, Dec 27, 2002 at 12:51:20PM +0800, ?????????? wrote:
> > ??????????????????????????38196??????
I use a locally-tweaked installation of spamassassin, and for this
particular message, the analysis was:
SPAM: -------------------- Start SpamAssassin results ----------------------
SPAM: This mail is probably spam. The original message has been altered
SPAM: so you can recognise or block similar unwanted mail in future.
SPAM: See http://spamassassin.org/tag/ for more details.
SPAM:
SPAM: Content analysis details: (9.50 hits, 4 required)
SPAM: FROM_ENDS_IN_NUMS (0.9 points) From: ends in numbers
SPAM: RATWARE_FOX (0.5 points) Potential spam client (FoxMail)
SPAM: CHARSET_FARAWAY (3.2 points) BODY: Character set indicates a foreign language
SPAM: SPAM_PHRASE_00_01 (0.8 points) BODY: Spam phrases score is 00 to 01 (low)
SPAM: MAILTO_TO_SPAM_ADDR (1.0 points) URI: Includes a link to a likely spammer email address
SPAM: SIGNATURE_SHORT_DENSE (-0.1 points) Short signature present (no empty lines)
SPAM: CHARSET_FARAWAY_HEADERS (3.2 points) A foreign language charset used in headers
SPAM:
SPAM: -------------------- End of SpamAssassin results ---------------------
> Can somebody *please*, finally, tweak the spamassassin configuration a bit?
> If you look at these headers:
>
> Content-Type: text/plain;charset="GB2312"
This is where my config hit the spam hardest. All you need to do is to
add this to the SA config file:
ok_locales en
And possibly bump up the score for CHARSET_FARAWAY and
CHARSET_FARAWAY_HEADERS. (I set this to a very high score because I don't
expect to get non-English non-spam mails; for Debian lists, a more
moderate setting might be more appropriate. Nevertheless, this will catch
a LOT of spam.)
[snip]
> X-Mailer: FoxMail 4.0 beta 2 [cn]
FoxMail isn't really a spam client (google for FoxMail sometime---it's a
legit MUA). Nevertheless, in my local config I give it a positive score
because an unfortunately high percentage of spam I get comes from FoxMail
users.
The relevant rule is:
header RATWARE_FOX X-Mailer =~ /FoxMail/i
describe RATWARE_FOX Potential spam client (FoxMail)
[snip]
> X-Spam-Status: No, hits=2.7 required=4.0
> tests=FROM_ENDS_IN_NUMS,MAILTO_TO_SPAM_ADDR,SPAM_PHRASE_00_01,
> SUBJ_MISSING
> version=2.43
>
> then I'd say there's a lot more that can be scored on:
>
> * empty subject or 'Unidentified subject!', could get a score
I believe this is already getting caught by SUBJ_MISSING. Perhaps the
score for that should be bumped up a bit.
> * needlessly high priorities should definitely get a score
This is a bit questionable. It is quite plausible that legit mail to the
Debian lists will get sent with high priorities. Of course, one could
argue that Debian list users should know better than to set Outlook
priorities, but the point is that this isn't a particularly reliable
indicator of spam.
> * FoxMail could get a score (there's already a negative spam score for
> USER_AGENT_MUTT and _PINE, so why not a positive one for this MUA?)
Like I said before, FoxMail is legit. The score for it should be low, if
at all. False negatives are better than false positives, even though they
are quite annoying nonetheless.
> * as said earlier, charset="GB2312" on an english list could also get
> a positive score.
Definitely. This will catch a LOT of spam. (As my local SA setup proves --
90% of the spam in my spam mailbox are foreign-language spams.
Unfortunately, most of it comes through the Debian lists as well.)
> It's /really/, positively getting a bit too much lately.
Maybe you really want to install SA on your local machine. :-)
T
--
Many open minds should be closed for repairs. -- K5 user
Reply to: