by
lr » Fri Sep 13, 2013 12:03 pm
I've been fighting spam this week a little bit too. In my case, it started pretty suddenly a few months ago, when my e-mail was widely distributed (because I was involved in a political campaign, so it's all good).
You can try incrementing the FB_PENIS_GROWTH rule. I haven't found the exact list of words it triggers on, but it might help.
A lot of the SPAM messages (which don't get diverted into greymail) have scores of 0 or just a little bit (the 1.5 you report is typical). That just means that spammers have figured out spamassassin well enough, and are fast enough to beat the various blacklists.
Now consider this. Even if there was a spamassassin test that triggers on the single word "enlarge", it would have to contribute at least 3.5 (better over 5) to reliably knock these messages into greymail. But that would mean that all good messages that happen to have that word in them also go into greymail. That could be from her contractor, describing how he is going to enlarge the kitchen cabinets, or the monthly statement from the bank, if they mention that they're about to enlarge their ATM network. You could do that, but it would mean that your client would have to start religiously checking greymail for good mail too, and occasionally move messages from greymail and whitelist them. And I bet that the FB_PENIS_GROWTH rule casts an even wider net. Do you want all the e-mail from her stock portfolio that mention a "growth and income fund" to go into greymail?
You could also increment the FB_PENIS_GROWTH rule just to 1 or 2. Then it alone wouldn't be enough to get rid of messages (and hopefully messages from stock brokers, bank, and contractor survive), but in combination with a few others (like HTML only, remote images, blacklisted domains, blacklisted URIs, each of which contribute 1 or 2) it might be enough to get rid of a few messages.
These days, I'm not optimistic about catching 100% of the spam; we all probably have to live with a handful messages per day.
