Re: vbounce and out of office messages
From: Kai Schaetzl Date: Sun, 01 Feb 2009 17:40:00 +0100 Jeff Mincy wrote on Sun, 1 Feb 2009 10:01:49 -0500: > I use vbounce rules to detect bounce messages that were missed by > various procmail filtering rules. Any message identified as a bounce > is processed and delivered differently in procmail rules. So, any > vbounce FP is rather painful. No, it is not, unless you score these rules too high or unless you use the single rules for triggering other actions. That's what SA is all about: scoring. ... Huh? You don't want bounces to be processed as regular spam. If you train bayes on bounces then you are training bayes to detect bounces and pretty soon SpamAssassin will detect all bounces, including valid bounces as spam. This comment is taken from the 20_vbounce.cf file: # If you use this, set up procmail or your mail app to spot the # "ANY_BOUNCE_MESSAGE" rule hits in the X-Spam-Status line, and move # messages that match that to a 'vbounce' folder. ... If you try to (mis-)use it in other ways problems are to be expected. That's not the fault of the vbounce rules. The purpose of 20_vbounce is to detect and identify bounces so that you may process bounce messages differently. So I disagree, any FP in the vbounce rules is the fault of vbounce rules and prevents these rules from being used as designed. AFAIK, the default score for the all BOUNCE rules is 0.1 Right. If you aren't going to use the vbounce rules for extra processing then there really isn't any point in running the rules. The low default score pretty much guarantees that message classification will not change one way or the other. -jeff
Re: vbounce and out of office messages
Jeff Mincy wrote on Sun, 1 Feb 2009 10:01:49 -0500: > I use vbounce rules to detect bounce messages that were missed by > various procmail filtering rules. Any message identified as a bounce > is processed and delivered differently in procmail rules. So, any > vbounce FP is rather painful. No, it is not, unless you score these rules too high or unless you use the single rules for triggering other actions. That's what SA is all about: scoring. If you try to (mis-)use it in other ways problems are to be expected. That's not the fault of the vbounce rules. AFAIK, the default score for the all BOUNCE rules is 0.1 Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: vbounce and out of office messages
From: Kai Schaetzl Date: Sun, 01 Feb 2009 14:31:17 +0100 Karsten Bräckelmann wrote on Fri, 30 Jan 2009 19:42:16 +0100: > FWIW, and to make Michael happy, I just caught one today -- hit another > rule, __BOUNCE_OOO_3. Sadly, it also hit __BOUNCE_AUTO_REPLY. So there's > more to disable... why? Why disable a rule because of a few FPs? If that rule isn't scored in any way that makes it a threat that is perfectly acceptable. It's the overall behavior of a rule that makes it worth or not worth using it, not a few FPs. Nobody, at least not me, expects these rules to be free of FPs. I use vbounce rules to detect bounce messages that were missed by various procmail filtering rules. Any message identified as a bounce is processed and delivered differently in procmail rules. So, any vbounce FP is rather painful. If you aren't doing anything special delivering bounce messages then a FP in this rule wouldn't matter very much. -jeff
Re: vbounce and out of office messages
Karsten Bräckelmann wrote on Fri, 30 Jan 2009 19:42:16 +0100: > FWIW, and to make Michael happy, I just caught one today -- hit another > rule, __BOUNCE_OOO_3. Sadly, it also hit __BOUNCE_AUTO_REPLY. So there's > more to disable... why? Why disable a rule because of a few FPs? If that rule isn't scored in any way that makes it a threat that is perfectly acceptable. It's the overall behavior of a rule that makes it worth or not worth using it, not a few FPs. Nobody, at least not me, expects these rules to be free of FPs. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: vbounce and out of office messages
On Fri, 2009-01-30 at 13:12 -0500, sa-li...@techsuperpowers.com wrote: > On Jan 29, 2009, at 9:47 AM, Michael Scheidell wrote: > > > maybe its just me, but was there really an issue with out of office > > messages? > > (except in this mailing list :-) > i noticed the same thing when we first started using vbounce; i just > edited the rule to allow that language through (specifically, as best > i can recall, anyway, i disabled the OOO checks, but left the rest > alone.) > > i'm not sure i'd recommend it, since any upgrade will replace the > edited file; but i keep a copy of my edits in a safe place, and it Hmm, exactly the reason for my earlier post about "disabling the sub rules"... > works for us. since then we've had almost no backscatter complaints > from our users, but OOOs come through just fine. Rather than messing with *any* file that will be overwritten by sa-update, you should just disable the (sub-)tests. It is generally strongly advised against editing the stock rules directly -- for the reason you mentioned. :) meta __BOUNCE_OOO_1 0 Just as an example. You should do the same in local.cf with any rules you disabled locally by editing the stock rules. FWIW, and to make Michael happy, I just caught one today -- hit another rule, __BOUNCE_OOO_3. Sadly, it also hit __BOUNCE_AUTO_REPLY. So there's more to disable... -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: vbounce and out of office messages
On Jan 29, 2009, at 9:47 AM, Michael Scheidell wrote: maybe its just me, but was there really an issue with out of office messages? (except in this mailing list :-) [ snip] Report: Hi Brian, Thank you for getting this to us so quickly! We will be sending a PO over within the next couple of days. It was good to meet you to. If you try to get me next week, Content Filter Analysis Details: (0.0 points) pts rule name description -- -- _SUMMARY_ Subtests Hit: __BOUNCE_OOO_1 i noticed the same thing when we first started using vbounce; i just edited the rule to allow that language through (specifically, as best i can recall, anyway, i disabled the OOO checks, but left the rest alone.) i'm not sure i'd recommend it, since any upgrade will replace the edited file; but i keep a copy of my edits in a safe place, and it works for us. since then we've had almost no backscatter complaints from our users, but OOOs come through just fine. ymmv, naturally. hope this helps, -john.
Re: vbounce and out of office messages
On Thu, 2009-01-29 at 11:38 -0500, Michael Scheidell wrote: > Karsten Bräckelmann wrote: > > On Thu, 2009-01-29 at 09:47 -0500, Michael Scheidell wrote: > > > just take out __BOUNCE_OOO_1. its too common in normal emails. > > > > Can't you just overwrite this one in local.cf? :) > > yes, if I thought it was a 'local' problem only affecting me... that > is why I posted to list. to see if its a common problem. Ah, yeah, that was merely meant as a quick hint for the records how to work around it -- in case someone else who has the same problem reads this. :) Haven't had a close look at the bounces in a while, so I can't say much about my corpus. However, by a quick glimpse I don't get many of these. Most of my OoO notices seem to slip by that VBounce rule. Also, Justin now removed the offending sub-test from VBounce in trunk due to repeated FP reports. RESOLVED FIXED. :) -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: vbounce and out of office messages
it might be worth splitting out a new type of bounce rule -- "OOO_BOUNCE" which matches only OOO messages. if you make a patch I may consider it ;) --j. On Thu, Jan 29, 2009 at 16:38, Michael Scheidell wrote: > > > Karsten Bräckelmann wrote: > > On Thu, 2009-01-29 at 09:47 -0500, Michael Scheidell wrote: > > > just take out __BOUNCE_OOO_1. its too common in normal emails. > > > Can't you just overwrite this one in local.cf? :) > > > > yes, if I thought it was a 'local' problem only affecting me... that is why > I posted to list. to see if its a common problem. > > > -- > Michael Scheidell, CTO > Phone: 561-999-5000, x 1259 >> | SECNAP Network Security Corporation > > Certified SNORT Integrator > King of Spam Filters, SC Magazine 2008 > Information Security Award 2008, Info Security Products Guide > CRN Magazine Top 40 Emerging Security Vendors > Finalist 2009 Network Products Guide Hot Companies > > > > This email has been scanned and certified safe by SpammerTrap(R). > For Information please see www.secnap.com/products/spammertrap/ > > >
Re: vbounce and out of office messages
Karsten Bräckelmann wrote: On Thu, 2009-01-29 at 09:47 -0500, Michael Scheidell wrote: just take out __BOUNCE_OOO_1. its too common in normal emails. Can't you just overwrite this one in local.cf? :) yes, if I thought it was a 'local' problem only affecting me... that is why I posted to list. to see if its a common problem. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors * Finalist 2009 Network Products Guide Hot Companies _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: vbounce and out of office messages
On Thu, 2009-01-29 at 09:47 -0500, Michael Scheidell wrote: > maybe its just me, but was there really an issue with out of office > messages? > (except in this mailing list :-) > etc. I am going to enter a bugzilla to eliminate this rule > https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6053 And from your bug report: > just take out __BOUNCE_OOO_1. its too common in normal emails. Can't you just overwrite this one in local.cf? :) -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}