AWL aging? - SpamAssassin

This is a discussion on AWL aging? - SpamAssassin ; I have recently understood AWL better, and am wondering if there should be some minimum number of entries before AWL is applied. I often get spam that doesn't score that high due to being a fresh relay. If I rescore ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: AWL aging?

  1. AWL aging?

    I have recently understood AWL better, and am wondering if there should
    be some minimum number of entries before AWL is applied. I often get
    spam that doesn't score that high due to being a fresh relay. If I
    rescore it with '|spamassassin -t' after a few days, often it's on
    blacklists and scores a lot higher, but is pulled down by AWL.

    So, I wonder if a rule that said 'AWL is only applied if there are >=5
    scores in the average' would avoid giving credit for spam that arrived
    when it wasn't classified as high as it should be now.


  2. Re: AWL aging?

    On Fri, 2008-05-30 at 16:21 -0400, Greg Troxel wrote:
    > I have recently understood AWL better, and am wondering if there should
    > be some minimum number of entries before AWL is applied. I often get
    > spam that doesn't score that high due to being a fresh relay. If I
    > rescore it with '|spamassassin -t' after a few days, often it's on
    > blacklists and scores a lot higher, but is pulled down by AWL.


    What do you gain by re-scoring?

    While the subject (and the name, Auto White List) might be confusing,
    the main purpose AFAIK actually is to *white* list good senders, that
    occasionally happen to send a spammy looking message. After all, most
    senders are forged, and an "auto black list" effect is rather unlikely.
    Even more so, since AWL takes the senders source net into account.
    (Didn't grep through my corpus though, going from memory.

    > So, I wonder if a rule that said 'AWL is only applied if there are >=5
    > scores in the average' would avoid giving credit for spam that arrived
    > when it wasn't classified as high as it should be now.


    Again, I don't see why you would re-score messages days later.

    However, some mechanism to clean out single message senders, has been
    mentioned before, and IIRC should be a known feature request. A (low)
    threshold before AWL kicks in, possibly combined with a timeout for
    pruning single message senders would be rather related.

    guenther


    --
    char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
    main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}


  3. Re: AWL aging?

    Karsten Bräckelmann writes:

    > On Fri, 2008-05-30 at 16:21 -0400, Greg Troxel wrote:
    >> I have recently understood AWL better, and am wondering if there should
    >> be some minimum number of entries before AWL is applied. I often get
    >> spam that doesn't score that high due to being a fresh relay. If I
    >> rescore it with '|spamassassin -t' after a few days, often it's on
    >> blacklists and scores a lot higher, but is pulled down by AWL.

    >
    > What do you gain by re-scoring?


    Nothing useful. I noticed this after getting spam that had a URI that
    wasn't on URIBL, reporting it and finding that it was added, and then
    going to check if the rules then picked it up. So I am really wondering
    about the scenario of

    get spam that scores moderately, say 2

    [time passes, spam's sender or URI get on blocklists]

    get same spam from same sender/net that scores 8 (same rules, plus
    SPAMCOM_BL, URIBL) but it gets moved down to 5 based on the previous
    message

    I think I have seen this, but I'm not 100% sure - this was the
    motivation for wanting to see more data on the AWL report line.

    > While the subject (and the name, Auto White List) might be confusing,
    > the main purpose AFAIK actually is to *white* list good senders, that
    > occasionally happen to send a spammy looking message. After all, most
    > senders are forged, and an "auto black list" effect is rather unlikely.
    > Even more so, since AWL takes the senders source net into account.
    > (Didn't grep through my corpus though, going from memory.


    Sure, I see the point, but it gives credit to a very-spammy message for
    a previous semi-spammy message too, and that is in general reasonable.

    >> So, I wonder if a rule that said 'AWL is only applied if there are >=5
    >> scores in the average' would avoid giving credit for spam that arrived
    >> when it wasn't classified as high as it should be now.

    >
    > Again, I don't see why you would re-score messages days later.


    I didn't mean to rescore. I find that a lot of spam is repeated, and
    even has the same from address and ip. I am trying to avoid for the
    next instance giving credit for a previous non-spammy message when the
    previous message was just as spammy, just not noticed as such because it
    wasn't in blocklists yet.

    > However, some mechanism to clean out single message senders, has been
    > mentioned before, and IIRC should be a known feature request. A (low)
    > threshold before AWL kicks in, possibly combined with a timeout for
    > pruning single message senders would be rather related.


    Thanks for the comments. I've put this on my todo list (which doesn't
    mean it will happen anytime soon :-).


+ Reply to Thread