Re: speaking of the new FH_HOST_EQ_D_D_D_D tests...
Jason Haar writes: > We are getting heaps of false positives off these rules - ironically > mainly from our IT services dealers/sellers/etc. > > Since upgrading from SA-3.1* to 3.2.0, we have discovered that it > appears most small New Zealand businesses run mail servers on DSL links > with PTR records of the format "NN-NN-NN-NN.isp.carrier.nz". Hence they > end up with 2.2 points > (FH_HOST_EQ_D_D_D_D,FH_HOST_EQ_D_D_D_DB,RDNS_DYNAMIC) added without any > real effort. That plus their sputty HTML mails pushes them into the 5-7 > range. > > I know SA isn't really doing anything wrong, but are people in other > countries seeing this too? If so, it may imply the default scores are > too high? Well, FH_HOST_EQ_D_D_D_D is the main issue I'd say, since it has the higher FPs and a much more significant score: score FH_HOST_EQ_D_D_D_D 2.599 1.992 1.692 1.212 # n=2 score FH_HOST_EQ_D_D_D_DB 0.102 0.095 0.055 0.223 # n=2 STATISTICS-set3.txt: 7.010 10.9120 0.13160.988 0.640.22 FH_HOST_EQ_D_D_D_DB STATISTICS-set3.txt: 20.447 31.7873 0.45650.986 0.581.21 FH_HOST_EQ_D_D_D_D Since they overlap heavily with RDNS_DYNAMIC, perhaps we should consider reducing/zeroing one or both scores for 3.2.1. could you open a bug? --j. > Obviously I'm going to have to lower those scores to compensate - I bet > more spam will come through too :-( > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +64 3 9635 377 Fax: +64 3 9635 417 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: speaking of the new FH_HOST_EQ_D_D_D_D tests...
Jason Haar wrote: > Since upgrading from SA-3.1* to 3.2.0, we have discovered that it > appears most small New Zealand businesses run mail servers on DSL > links with PTR records of the format "NN-NN-NN-NN.isp.carrier.nz". > Hence they end up with 2.2 points > (FH_HOST_EQ_D_D_D_D,FH_HOST_EQ_D_D_D_DB,RDNS_DYNAMIC) added without > any real effort. That plus their sputty HTML mails pushes them into > the 5-7 range. > > I know SA isn't really doing anything wrong, but are people in other > countries seeing this too? If so, it may imply the default scores are > too high? I'm not using those particular rules, but the mail-server setup you describe is fairly typical - and still wrong. They need to ask the provider for a proper reverse DNS entry, or use the providers SMTP-server as a relay. /Per Jessen, Zürich
speaking of the new FH_HOST_EQ_D_D_D_D tests...
We are getting heaps of false positives off these rules - ironically mainly from our IT services dealers/sellers/etc. Since upgrading from SA-3.1* to 3.2.0, we have discovered that it appears most small New Zealand businesses run mail servers on DSL links with PTR records of the format "NN-NN-NN-NN.isp.carrier.nz". Hence they end up with 2.2 points (FH_HOST_EQ_D_D_D_D,FH_HOST_EQ_D_D_D_DB,RDNS_DYNAMIC) added without any real effort. That plus their sputty HTML mails pushes them into the 5-7 range. I know SA isn't really doing anything wrong, but are people in other countries seeing this too? If so, it may imply the default scores are too high? Obviously I'm going to have to lower those scores to compensate - I bet more spam will come through too :-( -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
