Re: FP with URI_TRY_3LD on get.adobe.com
On Sun, 29 Apr 2018, Sebastian Arcus wrote: On 27/04/18 16:22, John Hardin wrote: On Fri, 27 Apr 2018, Sebastian Arcus wrote: On 27/04/18 10:49, Sebastian Arcus wrote: I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in the body of emails: Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "http://get.adobe.com"; Would it be possible to add some exception to this rule - as many legitimate emails containing invoice attachments in pdf include the above url in the body. It also appears to not like some DHL url's for some reason: Apr 27 11:02:05.148 [32339] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://mybill.dhl.com"; my{mumble}.mumble.com is targeted. I'll think about that one; the rule isn't scored highly and I could see that helping out to detect DHL phishing. If it is detecting DHL phishing is good - but if it is triggering on both legitimate DHL emails and phishing emails, I'm not sure it is that useful? It is if it's enough in concert with other rule hits to push the phish over the limit while not doing so with legitimate DHL mails. It's unrealistic to expect every spam rule to have a S/O of 1.000 (i.e. *not hit* on any ham at all). SA has bunches of rules because it's the *combination* of signs that are used to make the final decision. And with this I'm not going to worry too much about it: score URI_TRY_3LD0.001 0.001 0.001 0.001 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- North Korea: the only country in the world where people would risk execution to flee to communist China. -- Ride Fast --- 2 days until May Day - Remember 110 million people murdered by Communism
Re: FP with URI_TRY_3LD on get.adobe.com
On 27/04/18 16:22, John Hardin wrote: On Fri, 27 Apr 2018, Sebastian Arcus wrote: On 27/04/18 10:49, Sebastian Arcus wrote: I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in the body of emails: Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "http://get.adobe.com"; Would it be possible to add some exception to this rule - as many legitimate emails containing invoice attachments in pdf include the above url in the body. It also appears to not like some DHL url's for some reason: Apr 27 11:02:05.148 [32339] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://mybill.dhl.com"; my{mumble}.mumble.com is targeted. I'll think about that one; the rule isn't scored highly and I could see that helping out to detect DHL phishing. If it is detecting DHL phishing is good - but if it is triggering on both legitimate DHL emails and phishing emails, I'm not sure it is that useful?
Re: FP with URI_TRY_3LD on get.adobe.com
On 27/04/18 16:19, John Hardin wrote: On Fri, 27 Apr 2018, Sebastian Arcus wrote: I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in the body of emails: Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "http://get.adobe.com"; Would it be possible to add some exception to this rule - as many legitimate emails containing invoice attachments in pdf include the above url in the body. Fixed. Thank you
Re: FP with URI_TRY_3LD on get.adobe.com
On Fri, 27 Apr 2018, Sebastian Arcus wrote: On 27/04/18 10:49, Sebastian Arcus wrote: I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in the body of emails: Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "http://get.adobe.com"; Would it be possible to add some exception to this rule - as many legitimate emails containing invoice attachments in pdf include the above url in the body. It also appears to not like some DHL url's for some reason: Apr 27 11:02:05.148 [32339] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://mybill.dhl.com"; my{mumble}.mumble.com is targeted. I'll think about that one; the rule isn't scored highly and I could see that helping out to detect DHL phishing. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- the Internal Revenue Service has an "impressive history ... of storing [data] carelessly, leaking data through every possible conduit, and hiring employees who appear to only marginally prefer a career in tax collection over knocking over liquor stores." -- Reason's J.D. Tuccille --- 4 days until May Day - Remember 110 million people murdered by Communism
Re: FP with URI_TRY_3LD on get.adobe.com
If this is causing the entire mail to be flagged as SPAM, we need to see the entire FP not just a hit on one rule. That rule has a max 0.8 score. Though it does appear to be hitting on more than intended though. Anyone know what it is supposed to hit because I think it might be hitting on a lot more than intended? Regards, KAM -- Kevin A. McGrail Asst. Treasurer & VP Fundraising, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Fri, Apr 27, 2018 at 6:03 AM, Sebastian Arcus wrote: > > On 27/04/18 10:49, Sebastian Arcus wrote: > >> I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in >> the body of emails: >> >> Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ==> >> got hit: "http://get.adobe.com"; >> >> Would it be possible to add some exception to this rule - as many >> legitimate emails containing invoice attachments in pdf include the above >> url in the body. >> > > It also appears to not like some DHL url's for some reason: > > Apr 27 11:02:05.148 [32339] dbg: rules: ran uri rule URI_TRY_3LD ==> > got hit: "https://mybill.dhl.com"; >
Re: FP with URI_TRY_3LD on get.adobe.com
On Fri, 27 Apr 2018, Sebastian Arcus wrote: I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in the body of emails: Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "http://get.adobe.com"; Would it be possible to add some exception to this rule - as many legitimate emails containing invoice attachments in pdf include the above url in the body. Fixed. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- the Internal Revenue Service has an "impressive history ... of storing [data] carelessly, leaking data through every possible conduit, and hiring employees who appear to only marginally prefer a career in tax collection over knocking over liquor stores." -- Reason's J.D. Tuccille --- 4 days until May Day - Remember 110 million people murdered by Communism
Re: FP with URI_TRY_3LD on get.adobe.com
On 27/04/18 10:49, Sebastian Arcus wrote: I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in the body of emails: Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "http://get.adobe.com"; Would it be possible to add some exception to this rule - as many legitimate emails containing invoice attachments in pdf include the above url in the body. It also appears to not like some DHL url's for some reason: Apr 27 11:02:05.148 [32339] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://mybill.dhl.com";
FP with URI_TRY_3LD on get.adobe.com
I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in the body of emails: Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "http://get.adobe.com"; Would it be possible to add some exception to this rule - as many legitimate emails containing invoice attachments in pdf include the above url in the body.