Re: FPs on RCVD_IN_SORBS_WEB

[Axb]

On 03/09/2017 06:29 PM, Kevin A. McGrail wrote:

On 3/9/2017 12:26 PM, Axb wrote:

On 03/09/2017 06:14 PM, Kevin A. McGrail wrote:

On 3/9/2017 12:04 PM, Cedric Knight wrote:


Compared to RCVD_IN_SORBS_SPAM, which I think Axb manually adjusted down
to 0.5 back in September, RCVD_IN_SORBS_WEB hits about a tenth as much,



atm there's a ton of hacked web servers spewing spam so I'm ok with lowering
the score but sugggest we try going with 1.5 and see how it goes.
Comments?

+1


in absence of more comments I've...

COMMIT/trunk/rules/50_scores.cf
Committed revision 1786225.

score RCVD_IN_SORBS_WEB  0 1.5 0 1.5

Re: FPs on RCVD_IN_SORBS_WEB

[Kevin A. McGrail]

On 3/9/2017 12:26 PM, Axb wrote:

On 03/09/2017 06:14 PM, Kevin A. McGrail wrote:

On 3/9/2017 12:04 PM, Cedric Knight wrote:


Compared to RCVD_IN_SORBS_SPAM, which I think Axb manually adjusted 
down

to 0.5 back in September, RCVD_IN_SORBS_WEB hits about a tenth as much,


atm there's a ton of hacked web servers spewing spam so I'm ok with 
lowering the score but sugggest we try going with 1.5 and see how it 
goes.

Comments?

+1


--
*Kevin A. McGrail*
CEO

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 x50 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
kmcgr...@pccc.com 

Re: FPs on RCVD_IN_SORBS_WEB

[Axb]

On 03/09/2017 06:14 PM, Kevin A. McGrail wrote:

On 3/9/2017 12:04 PM, Cedric Knight wrote:

Well, not based on mass checks or any advanced analysis or anything, it
just stops obvious Facebook etc ham being marked as spam, so working
much better than the previous score of 3.253.

Compared to RCVD_IN_SORBS_SPAM, which I think Axb manually adjusted down
to 0.5 back in September, RCVD_IN_SORBS_WEB hits about a tenth as much,
but with a hit similarly being about a 25% risk of being a FP.  I could
write some local rules to try separating out the lastexternal hits and
see if it eliminates some FPs, but I doubt it will.  There was some
other experience upthread of RCVD_IN_SORBS_WEB (eg from Steve Zinski)
being a problem.

If a related rule had to be adjusted down, it makes sense that this
might have similar troubles. Axb, do you agree we should lower/cap this
rule at 0.5 as well?

If the FP rate is as high as Cedric mentions, this might be considered
for removal but we can address that after a rule score adjustment.

Regards,
KAM


atm there's a ton of hacked web servers spewing spam so I'm ok with 
lowering the score but sugggest we try going with 1.5 and see how it goes.

Comments?

Re: FPs on RCVD_IN_SORBS_WEB

[Kevin A. McGrail]

On 3/9/2017 12:04 PM, Cedric Knight wrote:

Well, not based on mass checks or any advanced analysis or anything, it
just stops obvious Facebook etc ham being marked as spam, so working
much better than the previous score of 3.253.

Compared to RCVD_IN_SORBS_SPAM, which I think Axb manually adjusted down
to 0.5 back in September, RCVD_IN_SORBS_WEB hits about a tenth as much,
but with a hit similarly being about a 25% risk of being a FP.  I could
write some local rules to try separating out the lastexternal hits and
see if it eliminates some FPs, but I doubt it will.  There was some
other experience upthread of RCVD_IN_SORBS_WEB (eg from Steve Zinski)
being a problem.
If a related rule had to be adjusted down, it makes sense that this 
might have similar troubles. Axb, do you agree we should lower/cap this 
rule at 0.5 as well?


If the FP rate is as high as Cedric mentions, this might be considered 
for removal but we can address that after a rule score adjustment.


Regards,
KAM

Re: FPs on RCVD_IN_SORBS_WEB

[Cedric Knight]

On 09/03/17 13:26, Kevin A. McGrail wrote:
> On 3/9/2017 8:22 AM, Cedric Knight wrote:
>> I've reduced the score on my installation to 0.5.  Would this kind of
>> thing be prevented by more people contributing to the mass checks?  Or
>> could it be adjusted downwards as Alex suggested?
> 
> I don't know if it's a floating rule but it sounds like it needs manual
> adjustment down.  How has 0.5 been working for you?

Well, not based on mass checks or any advanced analysis or anything, it
just stops obvious Facebook etc ham being marked as spam, so working
much better than the previous score of 3.253.

Compared to RCVD_IN_SORBS_SPAM, which I think Axb manually adjusted down
to 0.5 back in September, RCVD_IN_SORBS_WEB hits about a tenth as much,
but with a hit similarly being about a 25% risk of being a FP.  I could
write some local rules to try separating out the lastexternal hits and
see if it eliminates some FPs, but I doubt it will.  There was some
other experience upthread of RCVD_IN_SORBS_WEB (eg from Steve Zinski)
being a problem.

CK

Re: FPs on RCVD_IN_SORBS_WEB

[Kevin A. McGrail]

On 3/9/2017 8:22 AM, Cedric Knight wrote:

I've reduced the score on my installation to 0.5.  Would this kind of
thing be prevented by more people contributing to the mass checks?  Or
could it be adjusted downwards as Alex suggested?


I don't know if it's a floating rule but it sounds like it needs manual 
adjustment down.  How has 0.5 been working for you?

FPs on RCVD_IN_SORBS_WEB

[Cedric Knight]

On 11/09/16 22:10, Alex wrote:
>> COMMIT/trunk/rules/50_scores.cf
>>
>> Committed revision 1760066.
>>
>> score RCVD_IN_SORBS_SPAM 0 0.5 0 0.5
>>
>> should show up after next SA update
> 
> Has RCVD_IN_SORBS_WEB been considered for adjustment as well? It's
> hitting a lot more ham than spam here, including mail from facebook.

Over the last four months I've seen a fair number of false positives
from RCVD_IN_SORBS_WEB, including Facebook, Google, HaveIBeenPwned and
various legit servers.  A Facebook example:

  145.144.220.66.dnsbl.sorbs.net. 3600 IN TXT "Exploitable Server See:
http://www.sorbs.net/lookup.shtml?66.220.144.145;

The rule scored 3.253 in November, which has fallen to 2.034 now.  This
still seems high for a RBL, particularly one that does deep-parsing,
i.e. isn't -lastexternal, and hits end users (not servers) listed in the
x-originating-ip header.  To be fair, it is hitting some malware and
carder spam too, but not much that would otherwise be missed.  The list
is described as:

web.dnsbl.sorbs.net - List of web (WWW) servers which have spammer
  abusable vulnerabilities (e.g. FormMail scripts)
  Note: This zone now includes non-webserver
  IP addresses that have abusable vulnerabilities.

I've reduced the score on my installation to 0.5.  Would this kind of
thing be prevented by more people contributing to the mass checks?  Or
could it be adjusted downwards as Alex suggested?

CK