Re: FROM_LOCAL_HEX fps
On 23.04.08 09:27, Joseph Brennan wrote: > I noticed that FROM_LOCAL_HEX scores more often on legit mail than > on spam. Specifically it hits on Myspace invitations and some type > of group mail from Gmail, which are both common. It also hits on > a few verp sender addresses from random sites that appear to be > legit, and verp may become common. > > I don't have the messages, only syslog entries. Syslog shows the > envelope sender, but apparently the header From is the same. > Maybe someone else has sample messages for a proper report. > Note: Also hits FROM_STARTS_WITH_NUMS (2.302). The envelope sender > starts with only one digit though-- is the header From different? we've had similar FPs when users sent mail from their mobile phoned via SMS/MMS - the From: address and local part were their phone numbers which made them hit. I was thinking if I have just to whitelist them, or better make an exception for those rules/sources (and how) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully.
FROM_LOCAL_HEX fps
I noticed that FROM_LOCAL_HEX scores more often on legit mail than on spam. Specifically it hits on Myspace invitations and some type of group mail from Gmail, which are both common. It also hits on a few verp sender addresses from random sites that appear to be legit, and verp may become common. I don't have the messages, only syslog entries. Syslog shows the envelope sender, but apparently the header From is the same. Maybe someone else has sample messages for a proper report. Joseph Brennan Columbia University Information Technology Myspace 204.16.33.77 <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> would like to be added as one of your friends! Note: 204.16.33.77 is vmta14.myspace.com Note: Aggravated by also hitting BAD_ENC_HEADER (3.499). If I recall correctly, I sent them a report about that a long time ago. That was a genuine standards violation that they should fix. Gmail 209.85.198.210 <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> orkut - has written you a scrapbook entry Note: 209.85.198.210 is rv-out-0304.google.com Note: 'orkut' seems to be the name of a group or list. There are also messages with subject like 'orkut - Invitation to join from '. Note: Also hits FROM_STARTS_WITH_NUMS (2.302). The envelope sender starts with only one digit though-- is the header From different?