fogo archives Jul 2004 new search results previous next

Re: notes on SMTP-time spamassassin rejections

by Gerald Oskoboiny <gerald@impressive.net>

 Date:  Wed, 21 Jul 2004 15:53:21 -0400
 To:  fogo@impressive.net
 References:  gerald gerald2
 Replies:  No further comments in this thread. 
* Gerald Oskoboiny <gerald@impressive.net> [2004-06-01 13:01-0400]

> For the last few months any email to impressive.net with a SA
> score > 10 has been rejected, and any email I receive with score
> 5-10 goes into a mailbox called 'probable-spam' which in theory I
> could review periodically for false positives, but in practice
> just gets ignored. (it has 38643 messages since Jan 14, 292/day)
> 
> I hate silently ignoring email, so I wonder if I should decrease
> the rejection threshold to 5 or something.

I have been really happy with my spam blocking setup, and still have
not received a single complaint about valid mail being blocked.

Since June 3, 4899 messages were filtered to my probable-spam
mailbox but not rejected (messages that scored 5-10); I scanned
about 2k of those manually and found two false positives, an
inquiry about using a photo, and someone asking about a hotel
in Italy; both were tagged BAYES_99 which contributed 5.4 to the
score (but both scored < 6 total.)

So I just lowered my threshold for rejection to 6, and I am doing
away with this probable-spam mailbox, so I don't have to worry
about mail being silently ignored any more.

Oh... 6090 messages have entered my spam honeypot in that time,
fed directly into sa-learn --spam. (messages that scored > 10 were
rejected as usual, and not fed into sa-learn... I wonder if I
should try to exclude my honeypots from smtp-time spam blocking?)

Distribution of SA scores in probable-spam since June 3:

gerald@ogobogo:/home/gerald; cat mail/probable-spam | formail -s formail -c -XX-Spam-Status | cut -d= -f2 | cut -d. -f1 | sort -n | uniq -c
    269 5
    377 6
    695 7
    494 8
    379 9
    523 10
    503 11
    358 12
    415 13
    292 14
    223 15
    177 16
     94 17
     50 18
     27 19
     18 20
      3 21
      1 23
      1 24

(hmm, why so many > 10?? Those should have been rejected.
Maybe some network tests are not being done at smtp time?)

-- 
Gerald Oskoboiny <gerald@impressive.net>
http://impressive.net/people/gerald/

HURL: fogo mailing list archives, maintained by Gerald Oskoboiny