Alex Woick wrote:
> John Rudd wrote:
>
>> Botnet's score of 5 is meant to say "this message should be
>> quarantined or flagged for review". It's not saying "this message is
>> _definitely_ spam".

>
> In my opinion, this is not quite according to the concept of
> SpamAssassin. SA has a bunch of rules that give qualified hints about
> the spamminess of a message. One hint alone is never enough, it always
> takes some of them until a threshold (5) is crossed and above that the
> message is considered spam. The more hints, the higher the spamminess.
> This works so good that I trust the hints if the score is above 10.
> These messages end up in a very seldomly accessed "sure spam" folder
> that is auto-purged. Messages from 5 to 10 gets moved to a "probably
> spam" folder that I inspect once a week perhaps. But I always consider
> these messages as spam with a solitary false positive that slips there.
> The philosophy behind SA suggests this approach, in my opinion.
>
> Botnet doesn't fit this philosophy - its score is way too high and the
> false positive probability is also too high to justify that a message is
> condemned as spam on one single rule. In my opinion, its default
> configuration should be according to SA defaults, so its score should be
> something between 1.5 and 3. If the message is spam, other rules most
> certainly also hit and push it above 5. If the message is ham, no harm
> is done and it is not denounced as spam.
>
> No offense meant - only my point of view.



You say it doesn't fit your philosophy of how to use spam assassin, yet
your mechanism is exactly the same as mine:

score between 5 and 10 is merely "probably spam". Above 10 is
"definitely spam".

I reject during SMTP at 10 or greater, and I put it into a quarantine
folder for 5 <= score < 10.

In my experience, the _VAST_ Majority of messages that Botnet flags are
"probably spam" (actually, the fact majority ARE spam). That fits your
own philosophy of the 5-10 range.

The number of messages that get flagged by Botnet but aren't spam is, in
my observation across a few sites, less than one tenth of one percent.


No offense taken. I just think your opinion is self-contradictory. The
only thing that isn't contradicted by your statement is that you think
it shouldn't all rest in one test. Yet, there are plenty of anti-spam
mechanism that do just fine putting it all in one test (using RBL's at
the MTA level, Greylisting, Greet-Pause, etc.). Botnet is just another
one of those.