[Mimedefang] SURBL

[Kelson]

-ray wrote:
> Also while poking around, some SURBL mails got through cause BAYES_00 
> gave a negative score.  In general do ya'll let BAYES_* rules score 
> negative?

Well, that *is* what they're for.  Anything under 50% is supposed to be 
more likely legit than spam, based on mail you've seen before.  The 
Bayes rules are there in part to compensate for things like news 
articles about deposed African leaders and large sums of money that 
might otherwise trip spam rules.  I've actually increased the magnitude 
of the scores on the lower-end Bayes rules.  (Hmm, "increase your 
magnitude" sounds like a phrase that'll show up in spam any day now.)

If you're geting BAYES_00 on lots of obvious spam, you need to re-train 
your database or just stop using Bayes.  Take a bunch of those messages 
(as many as possible) that hit SURBL but also hit BAYES_00 and run them 
through sa-learn --spam.

> What about the other negative scores?  Just set them to zero?  

There aren't very many left.  AFAIK it's Bayes, Habeas, Bonded Sender 
and ALL_TRUSTED (meaning the message started inside your network and 
never left).  SPF passes are technically negative, but they're scored 
just enough to track (as they should be) and not to affect the score.

If you've got your trust path set up right, ALL_TRUSTED is pretty much 
safe.  If not it can cause problems, but you're better off fixing the 
trust path than disabling the rule because the trust path is used for 
other things.  As for Bonded Sender and Habeas, forgeries are much 
harder than they used to be, so it depends on how much you trust their 
criteria and their verification process.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>