Mailing List Archive

Score for certain spam
In your experience, what is a good ‘certain spam’ threshold? By that I
mean the score above which messages are virtually always spam, no false
positives.

The default threshold for spam is 5.0, which works well for me. Only
very rarely a ham message scores above that and lands in my Junk folder.
Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject
such messages at the SMTP layer, without having to worry about rejecting
legitimate messages.

Thank you!
Re: Score for certain spam [ In reply to ]
On Tue, 2021-08-17 at 18:03 +0200, David Bürgin wrote:
> In your experience, what is a good ‘certain spam’ threshold? By that I
> mean the score above which messages are virtually always spam, no
> false positives.
>
I pushed it one notch, to 6.0, but:
 
(a) I've accumulated a fair collection of private rules which are
specific to my mail stream

(b) I have a private mail archive, stored in a PostgreSQL database,
and an SA plugin which whitelists any sender who is recorded in my
archive as somebody that I've previously sent mail to.

(c) Spam is quarantined as it arrives.
Ham is delivered via Postfix + Dovecot and also queued for archiving

(d) spam gets quarantined for 7 days before being discarded

(e) An overnight cronjob loads ham thats queued for archiving into the
mail archive. It also expires & deletes week-old quarentined spam,
and I added a report to logwatch that lists new spam, so I know its
arrived and can be retrieved from quarentine if I decide I should
see it.

I've listed these steps and associated conditions in case any are useful
to you. This has all been up and running since 2007, so its tolerably
well tested.


Martin
Re: Score for certain spam [ In reply to ]
Hi David,

If your default is in the 5 to 6 range for scoring, we have found that
11.0 has virtually no FPs and 15.0 has not had any FPs at our firm in years.

Regards,

KAM

On 8/17/2021 12:03 PM, David Bürgin wrote:
> In your experience, what is a good ‘certain spam’ threshold? By that I
> mean the score above which messages are virtually always spam, no false
> positives.
>
> The default threshold for spam is 5.0, which works well for me. Only
> very rarely a ham message scores above that and lands in my Junk folder.
> Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject
> such messages at the SMTP layer, without having to worry about rejecting
> legitimate messages.
>
> Thank you!

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: Score for certain spam [ In reply to ]
On 17.08.21 18:03, David Bürgin wrote:
>In your experience, what is a good ‘certain spam’ threshold? By that I
>mean the score above which messages are virtually always spam, no false
>positives.
>
>The default threshold for spam is 5.0, which works well for me. Only
>very rarely a ham message scores above that and lands in my Junk folder.
>Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject
>such messages at the SMTP layer, without having to worry about rejecting
>legitimate messages.

on my personal server I have pushed the score to 3.5 and reject anything
over 9. Note that I intensively train spams and FPs.

I maintain a few servers, default score is at 5 and reject over 8.
one server without proper training, score is left at amavis default and
reject on 10.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
Re: Score for certain spam [ In reply to ]
David Bürgin <dbuergin@gluet.ch> writes:

[all the other replies sound 100% sensible to me]

> In your experience, what is a good ‘certain spam’ threshold? By that I
> mean the score above which messages are virtually always spam, no false
> positives.

There is no certainty; there is only probability. So you have to
decide what risk you want to put up with, and that's in my experience a
risk of accepted spam and a risk of rejected ham.

> The default threshold for spam is 5.0, which works well for me. Only
> very rarely a ham message scores above that and lands in my Junk folder.

I have set up TXREP, and added known senders to a welcomelist, plus some
private rules and score tweaks, SA base plus KAM.

I find that ham over 5 is extremely rare.

I am rejecting at the SMTP level at 8. I have so far not received a
single complaint of legit mail being rejected. 8 is a bit more
aggressive than I would recommend in general.

Note that I take two unconventional views compared to standard SA
doctrine:

mail is personal-ham, list-ham, or spam. If a message from a
mailinglist that is technically ham gets misfiled or even rejected,
that's not a big deal. Mail that is personally to me (really, that I
care about) that gets rejected is a big deal.

I really don't want any spam in my INBOX, because it appears on my
phone, and thus I sort mail into "ham", "maybe spam", "spam" and
"definitely spam", basically sorting <1 point into inbox, 1-5 into
spam.N folders, with 5+ into pam.5, combined with MTA-level rejection
at 8. This means that every day several messages are sorted into
spam.1 and spam.2 that are technically ham, and I just refile them
when at a computer. The benefit to this is that only a handful of
spam messages land in my inbox every week.

I often add welcomelist or rule tweaks for list senders who score 1-5.
Usually the messages are icky somehow, from an MTA on a BL,
misformatted, etc. Almost always I wouldn't really care if I had missed
them. Real people, real transactional notifications, I add exceptions
for.

This is higher effort, but it serves my dual purposes of not missing ham
and protecting my phone INBOX from spam. But it also gives me insight
into score distribution. 1-2 point ham is pretty normal, and arguably
that folder is 75% ham. The 4-5 folder is about 98% spam.

> Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject
> such messages at the SMTP layer, without having to worry about rejecting
> legitimate messages.

My view is that very occasional rejecting of legit mail is much better
than having it buried in a spam folder. I would be very surprised if
rejecting >= 10 caused you real trouble. You just said that you almost
never have ham get scored over 5. So 10 seems like a reasonable step.
Re: Score for certain spam [ In reply to ]
I manage email for a couple of hundred domains, so a fair bit of stuff
that arrives to my inbox are spam complaints (they're supposed to open
tickets or use the support mailbox but... users). I flag anything over
5.0 as spam, but it still comes to my inbox. Anything over 8.0 goes to
the bit bucket. Our support inbox deletes anything over 10.0. Stuff that
scores over 20 arrives on a regular basis but 10 seems to be a decent
threshold for "absolute crap".

I should also mention that we refuse to send anything that scores over
5.0. This has proved useful both in limiting damage from unprotected
contact forms and ... um ... "overzealous" customers.

On 2021-08-17 12:03, David Bürgin wrote:
> In your experience, what is a good ‘certain spam’ threshold? By that I
> mean the score above which messages are virtually always spam, no false
> positives.
>
> The default threshold for spam is 5.0, which works well for me. Only
> very rarely a ham message scores above that and lands in my Junk folder.
> Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then reject
> such messages at the SMTP layer, without having to worry about rejecting
> legitimate messages.
>
> Thank you!

--
For SpamAsassin Users List
Re: Score for certain spam [ In reply to ]
Alan <spamassassin.twyie@ambitonline.com> writes:

> I manage email for a couple of hundred domains, so a fair bit of stuff
> that arrives to my inbox are spam complaints (they're supposed to open
> tickets or use the support mailbox but... users). I flag anything over
> 5.0 as spam, but it still comes to my inbox. Anything over 8.0 goes to
> the bit bucket. Our support inbox deletes anything over 10.0. Stuff
> that scores over 20 arrives on a regular basis but 10 seems to be a
> decent threshold for "absolute crap".

WHen you talk about 8/10 and bitbucket/delete, are you accepting this
email at the MTA level and then sending it to /dev/null? If so, I
wonder what your thoughts are on the wisdom of that vs rejecting at the
MTA level? In my view MTA, rejection is much better because if there is
a legit sender they get a 550 back, rather than silent discard.
Re: Score for certain spam [ In reply to ]
On 2021-08-17 18:03, David Bürgin wrote:
> In your experience, what is a good ‘certain spam’ threshold? By that I
> mean the score above which messages are virtually always spam, no false
> positives.

basicly all above 5 is spam tagged with default spamassassin, it is so
as long as spamassassin does only tags mails, eq spamassassin is not
designed to ever reject any emails

> The default threshold for spam is 5.0, which works well for me. Only
> very rarely a ham message scores above that and lands in my Junk
> folder.
> Would 10.0 be a good ‘certain spam’ threshold? 15.0? I could then
> reject
> such messages at the SMTP layer, without having to worry about
> rejecting
> legitimate messages.

in fuglu i use 15 as reject score, it can be done in spamas-milter
aswell, but its not spamassassin fault, in many places of score in
spamassassin its for negative spam -100, and for possitive spam +100,
both can be changed scores on so it never reject fp

spammers knows defaults scores so thay hope recipients never change it,
spammers want whitelist_from * but in mta stage local recipients is not
evelobe senders, so whitelist in spamassassin is still safe to use where
its needed, but remember dont if not needed

i begin to see to make rules scores safe it must not exists a single
rule with score above 3, but there can be multiple rules to add more
score, this is more safe to do then a single rule with 30+
Re: Score for certain spam [ In reply to ]
On 2021-08-17 18:53, Greg Troxel wrote:
> Alan <> writes:
>
>> I manage email for a couple of hundred domains, so a fair bit of stuff
>> that arrives to my inbox are spam complaints (they're supposed to open
>> tickets or use the support mailbox but... users). I flag anything over
>> 5.0 as spam, but it still comes to my inbox. Anything over 8.0 goes to
>> the bit bucket. Our support inbox deletes anything over 10.0. Stuff
>> that scores over 20 arrives on a regular basis but 10 seems to be a
>> decent threshold for "absolute crap".
> When you talk about 8/10 and bitbucket/delete, are you accepting this
> email at the MTA level and then sending it to /dev/null? If so, I
> wonder what your thoughts are on the wisdom of that vs rejecting at the
> MTA level? In my view MTA, rejection is much better because if there is
> a legit sender they get a 550 back, rather than silent discard.

It's sent to the bit bucket, not done in the MTA. In this case, each
account can set individual thresholds and has an individual set of local
rules, so that might be why. I'd prefer to 550 them as well, although I
suspect the majority of sources just don't care. Lately the most
insidious stuff has been coming from VPS providers with insufficient
vetting. Every few months I get something like this:

> We are looking to get set up with a Dedicated Server or VPS today with
> a /24. It is to mail, but it's all compliant.
> Can we get set up with you guys?
Invariably they're red flagged multiple times on ROSKO. I'm sure failing
to take 2 minutes to do that check has done significant damage to
website builders who figured they could make some easy money in hosting.

--
For SpamAsassin Users List
Re: Score for certain spam [ In reply to ]
Alan <spamassassin.twyie@ambitonline.com> writes:

> It's sent to the bit bucket, not done in the MTA. In this case, each
> account can set individual thresholds and has an individual set of
> local rules, so that might be why. I'd prefer to 550 them as well,
> although I suspect the majority of sources just don't care. Lately the
> most insidious stuff has been coming from VPS providers with
> insufficient vetting.

For actual spam, it doesn't matter if you /dev/null or 550 them.

My point -- to the list, not really so much to you since I realize you
have your own reasons -- was that there is a possibility of a legit
sender's message hitting the threshold, and for that message, it is much
better to 550 than /dev/null so they can figure it out. It's only for
that very rare legit mail that it matters, in my view, but there it's
important.


Thus, I have a setup to MTA-reject at 8 and everything that makes it
through that gets filed, in INBOX if low enough, and in a spam folder
if not.
Re: Score for certain spam [ In reply to ]
Greg Troxel wrote:
>
> Alan <spamassassin.twyie@ambitonline.com> writes:
>
>> It's sent to the bit bucket, not done in the MTA. In this case, each
>> account can set individual thresholds and has an individual set of
>> local rules, so that might be why. I'd prefer to 550 them as well,
>> although I suspect the majority of sources just don't care. Lately the
>> most insidious stuff has been coming from VPS providers with
>> insufficient vetting.
>
> For actual spam, it doesn't matter if you /dev/null or 550 them.
>
> My point -- to the list, not really so much to you since I realize you
> have your own reasons -- was that there is a possibility of a legit
> sender's message hitting the threshold, and for that message, it is much
> better to 550 than /dev/null so they can figure it out. It's only for
> that very rare legit mail that it matters, in my view, but there it's
> important.

*nod* At least the sender knows something has gone wrong.

Unfortunately, the weakness in this is that the *recipient* then has to
magically figure out that their mail provider has - for whatever reason
- rejected an email that they probably wanted. If you're lucky the
sender has a clue, and will use this fancy device known as a
"tel-e-phone" to (gasp! shock!) *talk to* the recipient to let them
know, who can then complain to *their* mail provider about blocking mail
that shouldn't have been blocked.

Often you're not that lucky. I've wasted a fair bit of time going
around in circles on this from the sender's side:

Us: "We don't *know* exactly why this was rejected, you'll have to
contact the sender some other way and get them to check with their mail
provider."

Sender: "But your server sent it back to me! Fix it!"

Us: "We don't *know* exactly why this was rejected, you'll have to
contact the sender some other way and get them to check with their mail
provider."

Sender: "But your server sent it back to me! Fix it!"

(repeat until the concept gets through - some cases I'm trying to
repress memory of went more than five rounds of trying to find a new say
to say the same thing over and over AND OVER.)

We naturally ask to take a look at the original message if possible and
make some guesses as to what's getting up the recipient filter's nose...
but in the end they *are* just guesses, and sometimes even a mostly
blank test email also gets rejected.

-kgd