Email: 561313 Autolearn: 0 AvgScore: 6.77 AvgScanTime: 2.41 sec
Spam: 209359 Autolearn: 0 AvgScore: 16.99 AvgScanTime: 2.30 sec
Ham: 351954 Autolearn: 0 AvgScore: 0.70 AvgScanTime: 2.48 sec
Time Spent Running SA: 376.39 hours
Time Spent Processing Spam: 133.76 hours
Time Spent Processing Ham: 242.62 hours
TP SPAM RULES FIRED
RANK RULE NAME **** %FRULES %FMAIL %FSPAM %FHAM
1 URIBL_BLACK 163397 7.09 29.11 78.05 0.50
2 RAZR2_CHECK 157132 6.82 27.99 75.05 2.96
3 RAZR2_CF_RANGE_51_100 153141 6.65 27.28 73.15 2.36
4 RAZR2_CF_RANGE_E8_51_100 124580 5.41 22.19 59.51 0.41
5 URIBL_JP_SURBL 118251 5.13 21.07 56.48 0.09
6 URIBLB_SURBL 118163 5.13 21.05 56.44 0.38
7 URIBL_SBL 86205 3.74 15.36 41.18 0.29
8 URIBL_WS_SURBL 85005 3.69 15.14 40.60 0.12
9 URIBL_SC_SURBL 69818 3.03 12.44 33.35 0.00
10 RAZR2_CF_RANGE_E4_51_100 67772 2.94 12.07 32.37 1.98
11 URIBL_AB_SURBL 50613 2.20 9.02 24.18 0.00
12 SPF_HELPASS 38703 1.68 6.90 18.49 7.79
13 MIME_HTMLNLY 38260 1.66 6.82 18.27 7.30
14 SPF_PASS 35133 1.53 6.26 16.78 5.00
15 UNPARSEABLE_RELAY 33696 1.46 6.00 16.09 3.82
16 RCVD_IN_BL_SPAMCP_NET 31596 1.37 5.63 15.09 0.89
17 HTML_IMAGE_RATI 27531 1.20 4.90 13.15 1.96
18 DNS_FRM_RFC_ABUSE 26538 1.15 4.73 12.68 25.27
19 INFTLD 20978 0.91 3.74 10.02 0.98
20 DNS_FRM_RFC_PST 18523 0.80 3.30 8.85 3.39
TP HAM RULES FIRED
RANK RULE NAME **** %FRULES %FMAIL %FSPAM %FHAM
1 DNS_FRM_RFC_ABUSE 88943 13.50 15.85 12.68 25.27
2 NREAL_NAME 86768 13.17 15.46 2.77 24.65
3 RCVD_IN_SRBS_SCKS 53264 8.09 9.49 0.49 15.13
4 HTML_FNT_BIG 28181 4.28 5.02 8.24 8.01
5 SPF_HELPASS 27407 4.16 4.88 18.49 7.79
6 MIME_HTMLNLY 25690 3.90 4.58 18.27 7.30
7 SPF_PASS 17595 2.67 3.13 16.78 5.00
8 UNPARSEABLE_RELAY 13461 2.04 2.40 16.09 3.82
9 HTML_TAG_EXIST_TBDY 12981 1.97 2.31 3.57 3.69
10 DNS_FRM_RFC_PST 11917 1.81 2.12 8.85 3.39
11 DNS_FRM_RFC_WHIS 10789 1.64 1.92 3.98 3.07
12 RAZR2_CHECK 10410 1.58 1.85 75.05 2.96
13 MAILTTSPAM_ADDR 10002 1.52 1.78 0.30 2.84
14 MISSING_SUBJECT 9410 1.43 1.68 1.28 2.67
15 RAZR2_CF_RANGE_51_100 8319 1.26 1.48 73.15 2.36
16 MISSING_HEADERS 7751 1.18 1.38 1.49 2.20
17 TCC_NNE 7645 1.16 1.36 1.52 2.17
18 RAZR2_CF_RANGE_E4_51_100 6970 1.06 1.24 32.37 1.98
19 HTML_IMAGE_RATI 6892 1.05 1.23 13.15 1.96
20 MSGID_FRM_MTA_ID 6769 1.03 1.21 3.74 1.92

TP HAM RULES FIRED

RANK RULE NAME **** %FRULES %FMAIL %FSPAM
%FHAM

1 DNS_FRM_RFC_ABUSE 88943 13.50 15.85 12.68
25.27

That worries me. Granted, at most that will add 0.479 to a message (when
used with the default 3.1.1 scores), but to have your #1 *ham* rule be one
that's supposed to identify *spam* doesn't speak well for the rule. I like
RFCI; I feed it bogusmx or DSN-violating mail whenever I can. But, the abuse
and postmaster lists contain far too many *major* ISPs for them to be
reliable indicators of spam.

PGP SIGNED MESSAGE
Hash: SHA1

Net tests also seem to have a big impact here, but BAYES still rocks on
a small (3-user) install
I Note that URIBL_(?:BLACK|SBL), RCVD_IN_BL_SPAMCP_NET, HTML_MESSAGE
are hitting some fair ham though. FRGED_RCVD_HEL is an artefact of
bigfoot; L_MISC_LNGSTRING is a throwaway/testing local rule and
NREAL_NAME ham is thanks to auto-responder and list-posters mainly

Regards,
C.

TP SPAM RULES FIRED
-
RANK RULE NAME **** %FMAIL %FSPAM %FHAM
-
1 BAYES_99 4825 13.23 97.36 0.55
2 HTML_MESSAGE 3337 15.93 67.33 8.18
3 URIBL_BLACK 2730 7.53 55.08 0.37
4 URIBL_SC_SURBL 2368 6.27 47.78 0.01
5 URIBL_JP_SURBL 2333 6.22 47.07 0.07
6 URIBL_WS_SURBL 2209 5.91 44.57 0.09
7 URIBL_SBL 2026 5.59 40.88 0.27
8 URIBLB_SURBL 1987 5.34 40.09 0.10
9 RCVD_IN_BL_SPAMCP_NET 1900 6.50 38.34 1.71
10 FRGED_RCVD_HEL 1810 19.53 36.52 16.97
11 URIBL_AB_SURBL 1528 4.04 30.83 0.01
12 ADVANCE_FEE_1 1420 3.82 28.65 0.08
13 ADVANCE_FEE_2 1265 3.35 25.52 0.01
14 EXTRA_MPART_TYPE 1196 3.18 24.13 0.02
15 RCVD_IN_XBL 1176 3.11 23.73 0.00
16 ADVANCE_FEE_3 1069 2.82 21.57 0.00
17 HTML_90_100 1017 3.42 20.52 0.84
18 DNS_FRM_RFC_ABUSE 916 2.76 18.48 0.39
19 HTML_SHRT_LINK_IMG_1 888 2.35 17.92 0.00
20 SUBJ_ALL_CAPS 863 2.39 17.41 0.12
-

TP HAM RULES FIRED
-
RANK RULE NAME **** %FMAIL %FSPAM %FHAM
-
1 BAYES_00 26279 69.44 0.08 79.89
2 SPF_PASS 22668 60.11 1.63 68.92
3 DK_SIGNED 6063 16.93 6.98 18.43
4 FRGED_RCVD_HEL 5582 19.53 36.52 16.97
5 USER_IN_SPF_WHITELIST 4986 13.17 0.00 15.16
6 RCVD_BY_IP 4674 13.21 6.60 14.21
7 ALL_TRUSTED 3219 8.51 0.00 9.79
8 HTML_MESSAGE 2691 15.93 67.33 8.18
9 NREAL_NAME 1355 4.34 5.79 4.12
10 L_MISC_LNGSTRING 829 2.48 2.24 2.52
11 BAYES_50 702 1.98 0.93 2.13
12 TW_EV 619 1.64 0.04 1.88
13 DK_PLICY_SIGNSME 563 2.64 8.80 1.71
14 RCVD_IN_BL_SPAMCP_NET 561 6.50 38.34 1.71
15 TWC 534 1.41 0.00 1.62
16 DK_VERIFIED 526 1.60 1.57 1.60
17 DK_PLICY_TESTING 473 2.38 8.62 1.44
18 HTML_30_40 453 1.68 3.71 1.38
19 AWL 435 1.17 0.16 1.32
20 HTML_40_50 425 1.52 3.01 1.29

- --
Craig McLeanhttp://fukka.co.uk
craig (AT) fukka (DOT) co.ukWhere the fun never starts
Powered by FreeBSD, and GIN!
PGP SIGNATURE
Version: GnuPG v1.4.3 (GNU/Linux)

C+Ttaa28fk0tqjGfmEIVjNc=
=x6wv
PGP SIGNATURE

| TP HAM RULES FIRED
|
| RANK RULE NAME **** %FRULES %FMAIL %FSPAM
| %FHAM
|
| 1 DNS_FRM_RFC_ABUSE 88943 13.50 15.85 12.68
| 25.27
|
| That worries me. Granted, at most that will add 0.479 to a message (when
| used with the default 3.1.1 scores), but to have your #1 *ham* rule be one
| that's supposed to identify *spam* doesn't speak well for the rule. I like
| RFCI; I feed it bogusmx or DSN-violating mail whenever I can. But, the abuse
| and postmaster lists contain far too many *major* ISPs for them to be
| reliable indicators of spam.

I can't tell you how surprised I was to see this as well. It's truly a bummer.

QQQQ

Mike,

Good news. I dug in deeper and found that 56536 of the 88943 were from one server. It's a user
that fires off a batch job or something every few minutes. I have made some adjustments and thus
this user's email will no longer be part of the stats.

QQQQ

Message
From: "Mike Jackson" <mjackson (AT) mightymerchant (DOT) com>
To: <users (AT) spamassassin (DOT) apache.org>
Sent: Monday, May 08, 2006 1:52 PM
Subject: Re: Latest sa-stats from last week

| TP HAM RULES FIRED
|
| RANK RULE NAME **** %FRULES %FMAIL %FSPAM
| %FHAM
|
| 1 DNS_FRM_RFC_ABUSE 88943 13.50 15.85 12.68
| 25.27
|
| That worries me. Granted, at most that will add 0.479 to a message (when
| used with the default 3.1.1 scores), but to have your #1 *ham* rule be one
| that's supposed to identify *spam* doesn't speak well for the rule. I like
| RFCI; I feed it bogusmx or DSN-violating mail whenever I can. But, the abuse
| and postmaster lists contain far too many *major* ISPs for them to be
| reliable indicators of spam.
|
|

Mike Jackson wrote:
>TP HAM RULES FIRED
>
>RANK RULE NAME **** %FRULES %FMAIL %FSPAM
>%FHAM
>
>1 DNS_FRM_RFC_ABUSE 88943 13.50 15.85 12.68
>25.27

That worries me. Granted, at most that will add 0.479 to a message (when
used with the default 3.1.1 scores), but to have your #1 *ham* rule be
one that's supposed to identify *spam* doesn't speak well for the rule.
I like RFCI; I feed it bogusmx or DSN-violating mail whenever I can.
But, the abuse and postmaster lists contain far too many *major* ISPs
for them to be reliable indicators of spam.

SpamAssassin's perceptron appears to agree with you, it has never in history
given this rule as much as 0.5 points:

DNS_FRM_RFC_ABUSE 0 0.374 0 0
DNS_FRM_RFC_ABUSE 0 0.374 0 0
DNS_FRM_RFC_ABUSE 0 0.374 0 0
DNS_FRM_RFC_ABUSE 0 0.374 0 0
DNS_FRM_RFC_ABUSE 0 0.374 0 0
DNS_FRM_RFC_ABUSE 0 0.479 0 0.200
DNS_FRM_RFC_ABUSE 0 0.479 0 0.200