Re: mystery score definition
On Thu, May 11, 2023 at 11:21:20AM -0400, Greg Troxel wrote: > > But is it good practice for the main distributed rules to rely on this > default? It feels like a lint/pedantic error to define a rule that is > not T_ or __ and does not have an assigned score. But maybe this is > common and normal. It's common and normal. > That says scores in () are relative to the "already set score". So > technically this is not a failure to follow docs, in that no score is > set. But it seems unhelpful to users not to be able to see > > FOO_RULE1 > > in a report and to decide they like that rule and do > > score FOO_RULE (1) >From what I've seen, it's very uncommon to use this format. Why rely on some vague previously defined score, which can change at any time? Just set a static score you like and fits your system. > So maybe that (n) expression should be ok with the implicit 1. Parser processes config files and lines in order, it's not possible to know in advance if the static rule score referred to would actually be defined at a later stage. It would require lots of logic changes.
Re: mystery score definition
Try something like this if I understand you correctly trying to score is a __ rule: meta OBFU_UNSUB_UL ( __OBFU_UNSUB_UL >=1 ) There are plenty of rules that are designed to be conditions in other meta rules. Now that you've created a rule that relies on that condition you can score the meta rule and describe it how you feel best. On Thu, May 11, 2023, 11:21 Greg Troxel wrote: > Matus UHLAR - fantomas writes: > > > On 11.05.23 10:58, Greg Troxel wrote: > >>I am seeing a lot of "claim your prize from X", where X is a known > >>company, coming from fresh foo.autos domains. I bet y'all are seeing > >>this too. Until these get on blocklists they don't score that high. > >> > >>One rule that does hit is > >> > >> OBFU_UNSUB_UL > >> > >>which is defined in 72_active.cf as meta, and does not seem to have a > >>score defined. > >> > >>I put in local.cf (not knowing where it was defined) > >> > >>score OBFU_UNSUB_UL (1) > >> > >>to bump it up, but I got an error that I can't adjust an undefined > >>score. However, scoring gives it 1 point. > > > > the default score for any rule is 1 poing, unless that rule starts > > with T_ (0.01) or __ (0, used for meta rules) > > ok and not surprising. > > But is it good practice for the main distributed rules to rely on this > default? It feels like a lint/pedantic error to define a rule that is > not T_ or __ and does not have an assigned score. But maybe this is > common and normal. > > > so, you have changed nothing. > > I asked for an additional point over the previous score. I got an error > in the log: > > May 11 10:47:46 s1 spamd[11723]: config: score: relative score without > previous setting in configuration > May 11 10:47:46 s1 spamd[11723]: config: invalid 'score' value in > /usr/pkg/etc/spamassassin/local.cf (line 271): > score\tOBFU_UNSUB_UL\t\t(2) > > which is what I'm asking about. > > >>I wonder if there is a default 1 point for rules with no score, but the > >>adjustment process doesn't respect that default, or if not what is going > >>on. > > > > > https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html > > That says scores in () are relative to the "already set score". So > technically this is not a failure to follow docs, in that no score is > set. But it seems unhelpful to users not to be able to see > > FOO_RULE1 > > in a report and to decide they like that rule and do > > score FOO_RULE (1) > > to tell SA to give it one local point plus the score that the official > config gives is. > > So maybe that (n) expression should be ok with the implicit 1. >
RE: comparing sender domain against recipient domain
> > > I was wondering if spamassassin is applying some sort of algorithm to > > comparing sender domain against recipient domain to detect a phishing > > attempt? > > There is a suite of meta rules and subrules with names containing > TO_EQ_FROM in the default rule channel. Consult the rules files for > implementation details. > > hmmm, I guess not some test message with these headers test2:~# spamassassin -D < spam-test.txt > out2 Date: Mon, 24 Oct 2016 22:10:07 +0200 To: recipi...@alexander.com From: Lara Subject: asdf asd fas df asdf asdf asd fas dfa sdf Message-ID: Return-Path: sen...@a1exander.com gives this result: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on test2.local X-Spam-Flag: YES X-Spam-Level: X-Spam-Status: Yes, score=4.4 required=3.0 tests=DKIM_ADSP_NXDOMAIN, EMPTY_MESSAGE,RDNS_NONE,T_TVD_MIME_EPI autolearn=disabled version=3.4.6 X-Spam-Report: * 0.8 DKIM_ADSP_NXDOMAIN No valid author signature and domain not in * DNS * 0.0 T_TVD_MIME_EPI BODY: No description available. * 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS * 2.3 EMPTY_MESSAGE Message appears to have no textual parts
RE: comparing sender domain against recipient domain
> > > what useful information would you be looking for from this kind of > comparison? sen...@a1exander.com recipi...@alexander.com * 3.9 PHISHING 1=l attempt I assume there are some character substitude algorithms available, maybe an adapted version of an algorithm that tries to detect typos.
Re: comparing sender domain against recipient domain
On 2023-05-11 at 16:22:12 UTC-0400 (Thu, 11 May 2023 20:22:12 +) Marc is rumored to have said: I was wondering if spamassassin is applying some sort of algorithm to comparing sender domain against recipient domain to detect a phishing attempt? There is a suite of meta rules and subrules with names containing TO_EQ_FROM in the default rule channel. Consult the rules files for implementation details. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: comparing sender domain against recipient domain
what useful information would you be looking for from this kind of comparison? All the time I receive mail from people with non-local domains and regularly receive e-mail from co-workers using the same domain as me. The kind of things that might be useful are: 1) detecting local-domain forgeries (IE if you have DKIM/SPF, etc and the message appears to be from your domain but fails those checks) 2) examining the "comment" part of the From: address to see if it contains a misleading 'domain-like' text. EG: From: "b...@my.domain.org" On Thu, 11 May 2023, Marc wrote: I was wondering if spamassassin is applying some sort of algorithm to comparing sender domain against recipient domain to detect a phishing attempt? -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
comparing sender domain against recipient domain
I was wondering if spamassassin is applying some sort of algorithm to comparing sender domain against recipient domain to detect a phishing attempt?
Re: mystery score definition
Matus UHLAR - fantomas writes: > On 11.05.23 10:58, Greg Troxel wrote: >>I am seeing a lot of "claim your prize from X", where X is a known >>company, coming from fresh foo.autos domains. I bet y'all are seeing >>this too. Until these get on blocklists they don't score that high. >> >>One rule that does hit is >> >> OBFU_UNSUB_UL >> >>which is defined in 72_active.cf as meta, and does not seem to have a >>score defined. >> >>I put in local.cf (not knowing where it was defined) >> >>score OBFU_UNSUB_UL (1) >> >>to bump it up, but I got an error that I can't adjust an undefined >>score. However, scoring gives it 1 point. > > the default score for any rule is 1 poing, unless that rule starts > with T_ (0.01) or __ (0, used for meta rules) ok and not surprising. But is it good practice for the main distributed rules to rely on this default? It feels like a lint/pedantic error to define a rule that is not T_ or __ and does not have an assigned score. But maybe this is common and normal. > so, you have changed nothing. I asked for an additional point over the previous score. I got an error in the log: May 11 10:47:46 s1 spamd[11723]: config: score: relative score without previous setting in configuration May 11 10:47:46 s1 spamd[11723]: config: invalid 'score' value in /usr/pkg/etc/spamassassin/local.cf (line 271): score\tOBFU_UNSUB_UL\t\t(2) which is what I'm asking about. >>I wonder if there is a default 1 point for rules with no score, but the >>adjustment process doesn't respect that default, or if not what is going >>on. > > https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html That says scores in () are relative to the "already set score". So technically this is not a failure to follow docs, in that no score is set. But it seems unhelpful to users not to be able to see FOO_RULE1 in a report and to decide they like that rule and do score FOO_RULE (1) to tell SA to give it one local point plus the score that the official config gives is. So maybe that (n) expression should be ok with the implicit 1.
Re: mystery score definition
On 11.05.23 10:58, Greg Troxel wrote: I am seeing a lot of "claim your prize from X", where X is a known company, coming from fresh foo.autos domains. I bet y'all are seeing this too. Until these get on blocklists they don't score that high. One rule that does hit is OBFU_UNSUB_UL which is defined in 72_active.cf as meta, and does not seem to have a score defined. I put in local.cf (not knowing where it was defined) score OBFU_UNSUB_UL (1) to bump it up, but I got an error that I can't adjust an undefined score. However, scoring gives it 1 point. the default score for any rule is 1 poing, unless that rule starts with T_ (0.01) or __ (0, used for meta rules) so, you have changed nothing. I wonder if there is a default 1 point for rules with no score, but the adjustment process doesn't respect that default, or if not what is going on. https://spamassassin.apache.org/full/4.0.x/doc/Mail_SpamAssassin_Conf.html Should all meta rules in the default ruleset have a score, 0.001 if they are meant to be 0, vs something explicit? What's the intent for this one? (I defined a meta rule with just OBFU_UNSUB_UL as the underlying with a score, and that worked fine, as one would expect.) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges.
mystery score definition
I am seeing a lot of "claim your prize from X", where X is a known company, coming from fresh foo.autos domains. I bet y'all are seeing this too. Until these get on blocklists they don't score that high. One rule that does hit is OBFU_UNSUB_UL which is defined in 72_active.cf as meta, and does not seem to have a score defined. I put in local.cf (not knowing where it was defined) score OBFU_UNSUB_UL (1) to bump it up, but I got an error that I can't adjust an undefined score. However, scoring gives it 1 point. I wonder if there is a default 1 point for rules with no score, but the adjustment process doesn't respect that default, or if not what is going on. Should all meta rules in the default ruleset have a score, 0.001 if they are meant to be 0, vs something explicit? What's the intent for this one? (I defined a meta rule with just OBFU_UNSUB_UL as the underlying with a score, and that worked fine, as one would expect.)
RE: Re[8]: rule based on domain age
> IP ranges and country connections are of no help. These criminals use > outlook, gmail, vps servers and everything under the sun. So they register new domains, link them to gmail (outlook) and send spam with envelope of the domain via the google network, and google does nothing and keeps giving this service to them? I assume this service is offered for free by google/outlook?