Re: false positives...

Agreed, revocation is the way of dealing with bad submissions.

In this case, it is likely that someone has a spamtrap address that 
auto-reports everything that comes in. Someone else may have maliciously 
subscribed that spamtrap to this mailing list to get it reported, or it may 
have been done auto-magicaly by a worm or virus (there have been reports by 
some of the SpamAssassin developers that some virii are submitting email 
addresses to list subscription addresses and that they've been recently 
finding some of their spamtrap addresses subscribed to lists.)


In any event, this particular message when I ran it through razor-check -d 
only had a cf of 14, so it's not all that well trusted as being spam. If a 
handful of people accurately revoke it, it should drop off the list.

The relevant debug output follows:

Feb 11 14:53:40.889525 check[29515]: [ 2]  Razor-Agents v2.22 starting 
razor-check
d
<snip>
Feb 11 14:53:41.232537 check[29515]: [ 4] truth.cloudmark.com << 96
Feb 11 14:53:41.232641 check[29515]: [ 6] 
-a=c&e=2&s=j70-rFNVBuyVQjpLKEp3HLljSzQA
a=c&e=4&ep4=7542-10&s=xn62Xy-z3j16_VK0VOrshdb1jo8A
Feb 11 14:53:41.399614 check[29515]: [ 4] truth.cloudmark.com >> 20
Feb 11 14:53:41.399746 check[29515]: [ 6] response to sent.1
-p=0
cf=14&p=1

Feb 11 14:53:41.400293 check[29515]: [ 6] mail 1.0 e=2 
sig=j70-rFNVBuyVQjpLKEp3HLljSzQA: sig not found.
Feb 11 14:53:41.400734 check[29515]: [ 3] mail 1.0 e=4 
sig=xn62Xy-z3j16_VK0VOrshdb1jo8A: Is spam: cf 14 >= min_cf 1


Also note that since e2 does not match, but e4 does, it shows that this 
*exact* message is not listed in the razor database, but instead a very 
similar with some significant subset of the text being identical.

In general I find that a lot of the low-cf matches in razor are garbage 
hits. Although this run uses default settings, my production run uses a 
min_cf of 11 to try to quiet some of the bad hits down.



At 01:21 PM 2/11/2003 -0500, Ed Hennis wrote:
> On 11 Feb 2003, 5:34pm (-0000), Dirk Koopman wrote:
>
> > How is the attached spam? Should there be some simple checking going on
> > somewhere in the system before accepting something as spam?
>
> It's spam because somebody said it (or in this case probably something
> like it) is spam.  If you disagree, revoke the message.  Revokation _is_
> the simple checking that the system implements.  Anything else could be
> exploited by spammers to fake the system out.
>
> --
> Edward Hennis ___ eah+spam@xxxxxxxxx ___ http://www.vaxer.net/~eah
>  "The Bible contains six admonishments to homosexuals and 362
>  admonishments to heterosexuals. That doesn't mean that God doesn't
>  love heterosexuals. It's just that they need more supervision."
>    - Lynn Lavner
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> Razor-users mailing list
> Razor-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/razor-users



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com