Re: [Nolug] Confused about SpamAssassin report

From: Andrew S. Johnson <andy_at_asjohnson.com>
Date: Wed, 9 Jul 2003 18:30:25 -0500
Message-Id: <200307091830.25305.andy@asjohnson.com>

On Wednesday 09 July 2003 11:38 am, Mark A. Hershberger wrote:
> Ron Johnson <ron.l.johnson@cox.net> writes:
>
> > On Wed, 2003-07-09 at 10:31, -ray wrote:
> >> On 9 Jul 2003, Ron Johnson wrote:
> >>
> >> > On Tue, 2003-07-08 at 21:27, Andrew S. Johnson wrote:
>
> >> > > * 0.0 -- User-Agent header indicates a non-spam MUA (KMail)
>
> > So they just assume that anyone using KMail would never send out spam?
>
> No.
>
> They use a genetic algorithm to create the scores for various rules.
> Used to be that spammers would forge Outlook headers, but be off by a
> typo or two. SA could look at these obviously forged headers and
> know that it was a spammer.
>
> In the same way SA would look at valid headers and you have a fairly
> good chance that it wasn't spam. Valid KMail headers probably once
> had a fairly low (negative) score.
>
> Of course, spammers saw this and got smarter. So they started
> generating valid KMail or Outlook headers to get their spam through.
>
> Then SA re-ran their genetic algorithm to re-gen their scores.
> Obviously, the scores for good headers came way down.
>
> Still, it looks like someone has manually fixed the KMail header
> score at zero in their local installation.
>
> So, long story short, SA rules are in flux to keep spammers from
> taking advantage of them. That's why it is important to keep the
> latest version of SA running.
>
> Mark.
>

Actually, I just got MIMEdefang and SA set up on my server over the
weekend, so I'm still learning and tweaking. It seems that it scans both
incoming and outgoing mail, and that's why the report was attached to
the outgoing message. I saw that after it went out, so I went and added
all my users in my domain and all my subdomains to my whitelist, and
tweaked the MIMEdefang script some more. Now my outgoing mail
shouldn't have this problem any more. Overall, I'm pleased with SA's
accuracy. Not perfect, but pretty darn good. So, the spam report falls
into the "my bad" category.

Andy

___________________
Nolug mailing list
nolug@nolug.org
Received on 07/09/03

This archive was generated by hypermail 2.2.0 : 12/19/08 EST