On Sat, 2008-11-01 at 19:54 +0000, Martin Gregorie wrote:
> On Sat, 2008-11-01 at 18:20 +0100, Karsten Bräckelmann wrote:
>
> > Also, various URI BLs should include the URIs rather early. Are you
> > perhaps missing some of these in your SA setup? Maybe put some examples
> > up a pastebin and send the link here.

>
> I'm running the standard SA setup without any additional rulesets apart
> from private ones I've written for amusement and self-education. I have
> blacklist interrogation enabled.
>
> > If you're feeling confident about the rule, you can open a new bug.
> > However, you always can simply post it here for discussion and a broader
> > peer-review first in either case.
> >

> Here's the rule with spaces removed from the meta-rule to prevent it
> line-wrapping. Unfortunately, the 4th sub-rule has wrapped and there's
> not a lot I can do about that.


Yes, there is. Your MUA, Evolution, features pre-formatted paragraphs in
the Composer. But I don't feel like repeating myself today.


> describe MG_CASINO Casino gambling
> body __MG_CAS1 /(csnaio|casino)/i
> header __MG_CAS2 Subject =~ /casino/i
> header __MG_CAS3 From =~ /casino/i
> body __MG_CAS4 /(\$[0-9]+|[0-9]+ *euro|gold|real deal|invite.*play)/i
> meta MG_CASINO ((__MG_CAS1||__MG_CAS2||__MG_CAS3)&&__MG_CAS4)
> score MG_CASINO 2.0


Hmm, it might be worth for local rules, to score at least a few of
them on sight with a low score, yet keeping them in the meta. (Yes,
single word rules are generally bad, but scoring a From header that
contains specific words might help catch these.) I'd enforce word
breaks, though.


> and here's one of the messages I mentioned:
>
> http://pastebin.com/m1de987d0


X-Spam-Status: No, score=5.2 required=6.0 tests=HTML_MESSAGE,MIME_HTML_ONLY,
RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE

This one would have been flagged as spam when using the default
required_score spam threshold of 5.0. Also, I notice you're apparently
not using Bayes, which likely could raise the score above your 6.0
threshold, when trained on these.

On my check the sample also scored 0.8 for SPF_HELO_SOFTFAIL. Plus
Pyzor, which is not enabled by default unless you install Pyzor.

URIBL_BLACK as well as SURBL JP and OB triggered for me. These might
very well be updated *after* you received that mail, but it won't hurt
to check, if they are working for you at all.

Oh, and then I got a custom rule worth 0.5 for any single Relay, direct
client to MX mail.

HTH

guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}