On Tue, 15 Dec 2015, Kevin A. McGrail wrote:
I don't know enough about real-world usage to comment intelligently. But I
will say that a negative score just because something is encrypted will
likely have a pretty negative impact. It assumes no ham ever hits that rule.
That's exactly backwards. I'm assuming a spammer will never encrypt their
email because that makes it less likely their content will be seen by the
target, so *only* (or at least overwhelmingly) ham will hit that rule.
I don't think it should have a score less than -1, though. This is
intended as an offset, not a whitelist.
However, signed UNencrypted email might also use that MIME type, and the
MUA might fail-useable and display the body of an improperly-formatted
(e.g. no signature block at all) message of that MIME type, or one that
has a signature block but fails verification, so that assumption might
very well be flawed - there might be no downside to the spammer to sending
out fake-signed mails.
Perhaps a meta?
So far there's only been a complaint about FPs on encrypted emails from
Facebook. I've already added __CT_ENCRYPTED as a FP exclusion to some
rules (e.g. the one that scores for no textual MIME parts at all) based on
that. I was hoping we could avoid (or at least reduce the instances of) a
large class of FPs by doing a broad ENCRYPTED_MESSAGE nice rule rather
than playing reactive whack-a-mole if we get more reports of specific FPs
on encrypted content.
On 12/14/2015 3:32 PM, John Hardin wrote:
All:
Any objection to promoting __CT_ENCRYPTED and ENCRYPTED_MESSAGE out of the
sandbox to permanent rules, and giving ENCRYPTED_MESSAGE a negative (nice)
score (say, -1)?
I think that's fairly safe to do, as I doubt a spammer would impose the
overhead of decryption on their victims, and I'm not sure exactly how well
sandbox+masscheck works for "nice" rules.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...to announce there must be no criticism of the President or to
stand by the President right or wrong is not only unpatriotic and
servile, but is morally treasonous to the American public.
-- Theodore Roosevelt, 1918
-----------------------------------------------------------------------
Today: Bill of Rights day
