Re: Why doesn't HK_RANDOM_FROM trigger on this email address?
On Sun, 19 Nov 2017, Bill Cole wrote:
On 19 Nov 2017, at 17:11 (-0500), Mark London wrote:
Also, 5 consonants in a row, is unlikely.
Well, F. W. Nietzsche never had kids, but I don't think the surname is
extinct. I'm aware of multiple people with the surname Pietschmann. There is
also a common practice of using a first initial and surname as a username and
many Germanic surnames starting with sch[mlr], so I expect that 5 consonants
in an email address local-part where 'sch' are the middle 3 characters are
quite common.
Although not used currently I had formerly such an assigned accountname
(jschleus). Since I think the avoiding of FPs should take priority over
that of FNs I "vote" for the omitting "s".
Maybe it would be a "compromise" to add another regex with at least the
"s" included but 6 required consonants like
[bcdfgjklmnpqrstvwxz]{6}
Jens
Re: Why doesn't HK_RANDOM_FROM trigger on this email address?
Why not just have it be a meta test that doesn't trigger if it contains
"sch"? I realize that cuts out things like tjmkln...@fakeemail.com, but it
would catch tsjmhw...@fakeemail.com, so maybe a bit better in both catch
rate and false positives?
On Mon, Nov 20, 2017 at 8:03 AM, Jens Schleusener <
jens.schleuse...@t-online.de> wrote:
> On Sun, 19 Nov 2017, Bill Cole wrote:
>
> On 19 Nov 2017, at 17:11 (-0500), Mark London wrote:
>>
>> Also, 5 consonants in a row, is unlikely.
>>>
>>
>> Well, F. W. Nietzsche never had kids, but I don't think the surname is
>> extinct. I'm aware of multiple people with the surname Pietschmann. There
>> is also a common practice of using a first initial and surname as a
>> username and many Germanic surnames starting with sch[mlr], so I expect
>> that 5 consonants in an email address local-part where 'sch' are the middle
>> 3 characters are quite common.
>>
>
> Although not used currently I had formerly such an assigned accountname
> (jschleus). Since I think the avoiding of FPs should take priority over
> that of FNs I "vote" for the omitting "s".
>
> Maybe it would be a "compromise" to add another regex with at least the
> "s" included but 6 required consonants like
>
> [bcdfgjklmnpqrstvwxz]{6}
>
> Jens
>
--
- Markus
Understanding SPF-verified spam from dropbox
Hi, we have an email that originated from email.dropbox.com and has a link to https://hyzas.xss.ht/ which is a "payload to test for Cross-site Scripting" from the XSS Hunter Team. Was it sent in error? How was it sent? I know what XSS is and how it can be used, but this was reported as malicious, not from a security professional. https://pastebin.com/8Q7ZPRQ6
Re: Understanding SPF-verified spam from dropbox
On 11/20/2017 06:26 PM, Alex wrote: Hi, we have an email that originated from email.dropbox.com and has a link to https://hyzas.xss.ht/ which is a "payload to test for Cross-site Scripting" from the XSS Hunter Team. Was it sent in error? How was it sent? I know what XSS is and how it can be used, but this was reported as malicious, not from a security professional. https://pastebin.com/8Q7ZPRQ6 And how is this related to SA? Maybe you should ask the ppl involved: dropbox.com / testalways.com
Re: Why doesn't HK_RANDOM_FROM trigger on this email address?
On Mon, 20 Nov 2017, Markus Clardy wrote: Why not just have it be a meta test that doesn't trigger if it contains "sch"? I realize that cuts out things like tjmkln...@fakeemail.com, but it would catch tsjmhw...@fakeemail.com, so maybe a bit better in both catch rate and false positives? Better: /sch[a-z]/ so that it would catch tjmkln...@fakeemail.com -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- I would buy a Mac today if I was not working at Microsoft. -- James Allchin, Microsoft VP of Platforms --- 235 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: Understanding SPF-verified spam from dropbox
On Mon, Nov 20, 2017 at 12:58 PM, Axb wrote: > On 11/20/2017 06:26 PM, Alex wrote: >> >> Hi, we have an email that originated from email.dropbox.com and has a >> link to https://hyzas.xss.ht/ which is a "payload to test for >> Cross-site Scripting" from the XSS Hunter Team. >> >> Was it sent in error? How was it sent? I know what XSS is and how it >> can be used, but this was reported as malicious, not from a security >> professional. >> >> https://pastebin.com/8Q7ZPRQ6 > > > And how is this related to SA? > Maybe you should ask the ppl involved: dropbox.com / testalways.com I wasn't sure if it wasn't just a case where someone was using the dropbox service to send spam (in which case a backup mechanism in the form of a SA rule might be helpful), or if it was some dropbox admin who made a mistake, etc. It's just an odd email.
Re: Why doesn't HK_RANDOM_FROM trigger on this email address?
On Mon, 20 Nov 2017, John Hardin wrote: On Mon, 20 Nov 2017, Markus Clardy wrote: Why not just have it be a meta test that doesn't trigger if it contains "sch"? I realize that cuts out things like tjmkln...@fakeemail.com, but it would catch tsjmhw...@fakeemail.com, so maybe a bit better in both catch rate and false positives? Better: /sch[a-z]/ so that it would catch tjmkln...@fakeemail.com Ok, if the "s" was only omitted to avoid FPs for addresses containg the string "sch" (German typical) that seems the better solution compared to my suggestion. Jens
NOTE: Warning to Abusers of Update Servers
All, If you are checking the SpamAssassin updates more than 2x a day, expect to be blocked in the very near future. We have people checking literally every minute and we only release rules currently 1x per day. There is no need to check this often! Regards, KAM -- Kevin A. McGrail Asst. Treasurer & VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project
