subject:"FSL_BULK_SIG in 72

Re: FSL_BULK_SIG in 72_active.cf

2021-10-05 Thread John Hardin


On Tue, 5 Oct 2021, Matus UHLAR - fantomas wrote:

It hits Pyzor for some reason.  Get a PYZOR_CHECK=1.985.  Must've 
picked the wrong checksum, chief!


It does not appear that the actual rule matches the spirit of the 
rule.



On 23.09.21 22:07, Kevin A. McGrail wrote:

Jared, looks to me like an FP in Pyzor.



On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:

RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
attachments. (Haven't done stats tho, I can look during workweek.)

Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
unsubscribe header.



On 25.09.21 13:19, John Hardin wrote:

Perhaps it needs a short-message exclusion?



On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
short messages with attachments. if you have an idea how, I'll be glad to 
try.


On 25.09.21 15:04, John Hardin wrote:
I've done some masscheck review and tuning of it, added avoidance of hits 
on very short messages.


I'm afraid it did not help.
It seems that PYZOR_CHECK and DCC_CHECK hit on such mail often and
FSL_BULK_SIG pushes such mail easily over default spam score.

I just analyze a few samples, a few also hit GMD_PDF_EMPTY_BODY with sa -D, 
many of them hit __HTML_LENGTH_1024_1536

(damn microsoft! 1k of "empty" message).

OK, I will work around locally.


I noticed the PDF attachment hit in masschecks, but presumed (since the 
attachments were images) that it wasn't germane to the OP's problem. I 
should have added an exclusion for that as well. I will later today, 
work is booting up... :)


I'd be interested in the rule hits if you're willing to share.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 493 days since the first private commercial manned orbital mission (SpaceX)

Re: FSL_BULK_SIG in 72_active.cf

2021-10-05 Thread Matus UHLAR - fantomas

It hits Pyzor for some reason.  Get a PYZOR_CHECK=1.985.  
Must've picked the wrong checksum, chief!


It does not appear that the actual rule matches the spirit of the rule.



On 23.09.21 22:07, Kevin A. McGrail wrote:

Jared, looks to me like an FP in Pyzor.



On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:

RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
attachments. (Haven't done stats tho, I can look during workweek.)

Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
unsubscribe header.



On 25.09.21 13:19, John Hardin wrote:

Perhaps it needs a short-message exclusion?



On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
short messages with attachments. if you have an idea how, I'll be 
glad to try.


On 25.09.21 15:04, John Hardin wrote:
I've done some masscheck review and tuning of it, added avoidance of 
hits on very short messages.


I'm afraid it did not help.
It seems that PYZOR_CHECK and DCC_CHECK hit on such mail often and
FSL_BULK_SIG pushes such mail easily over default spam score.

I just analyze a few samples, a few also hit GMD_PDF_EMPTY_BODY 
with sa -D, many of them hit __HTML_LENGTH_1024_1536

(damn microsoft! 1k of "empty" message).

OK, I will work around locally.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)

Re: FSL_BULK_SIG in 72_active.cf

2021-09-25 Thread John Hardin


On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:

It hits Pyzor for some reason.  Get a PYZOR_CHECK=1.985.  Must've picked 
the wrong checksum, chief!


It does not appear that the actual rule matches the spirit of the rule.



On 23.09.21 22:07, Kevin A. McGrail wrote:

Jared, looks to me like an FP in Pyzor.



On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:

RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
attachments. (Haven't done stats tho, I can look during workweek.)

Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
unsubscribe header.


On 25.09.21 13:19, John Hardin wrote:

Perhaps it needs a short-message exclusion?


short messages with attachments. if you have an idea how, I'll be glad to 
try.


I've done some masscheck review and tuning of it, added avoidance of hits 
on very short messages.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  But if there is no such inalienable right [to self defense], the
  entire nature of the social contract is changed. Each man’s worth
  is measured solely by his utility to the state, and as such the
  value of his life rides a roller coaster not unlike the stock
  market: dependent not only upon the preferences of the party in
  power but upon the whims of its political leaders and the
  permanent bureaucratic class.  -- Mike McDaniel
---
 4 days until the 80th anniversary of the massacre at Babi Yar
 Disarmament enables genocide - Registration enables disarmament

Re: FSL_BULK_SIG in 72_active.cf

2021-09-25 Thread Matus UHLAR - fantomas

It hits Pyzor for some reason.  Get a PYZOR_CHECK=1.985.  
Must've picked the wrong checksum, chief!


It does not appear that the actual rule matches the spirit of the rule.



On 23.09.21 22:07, Kevin A. McGrail wrote:

Jared, looks to me like an FP in Pyzor.



On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:

RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
attachments. (Haven't done stats tho, I can look during workweek.)

Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
unsubscribe header.


On 25.09.21 13:19, John Hardin wrote:

Perhaps it needs a short-message exclusion?


short messages with attachments. 
if you have an idea how, I'll be glad to try.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".

Re: FSL_BULK_SIG in 72_active.cf

2021-09-25 Thread John Hardin


On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:

It hits Pyzor for some reason.  Get a PYZOR_CHECK=1.985.  Must've picked 
the wrong checksum, chief!


It does not appear that the actual rule matches the spirit of the rule.


On 23.09.21 22:07, Kevin A. McGrail wrote:

Jared, looks to me like an FP in Pyzor.


RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
attachments. (Haven't done stats tho, I can look during workweek.)

Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
unsubscribe header.


Perhaps it needs a short-message exclusion?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Gun Control laws aren't enacted to control guns, they are enacted
  to control people: catholics (1500s), japanese peasants (1600s),
  blacks (1860s), italian immigrants (1911), armenians (1911),
  the irish (1920s), jews (1930s), blacks (1960s), the poor (always)
---
 4 days until the 80th anniversary of the massacre at Babi Yar
 Disarmament enables genocide - Registration enables disarmament

Re: FSL_BULK_SIG in 72_active.cf

2021-09-25 Thread Matus UHLAR - fantomas

It hits Pyzor for some reason.  Get a PYZOR_CHECK=1.985.  Must've 
picked the wrong checksum, chief!


It does not appear that the actual rule matches the spirit of the rule.


On 23.09.21 22:07, Kevin A. McGrail wrote:

Jared, looks to me like an FP in Pyzor.


RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
attachments. (Haven't done stats tho, I can look during workweek.)

Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
unsubscribe header.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)

Re: FSL_BULK_SIG in 72_active.cf

2021-09-24 Thread Kevin A. McGrail

I don't think it's reasonable but an FP in Pyzor is leading to other 
rule hits.


Was the overall email marked as spam?

On 9/24/2021 12:21 AM, Jared Hall wrote:

On 9/23/2021 10:07 PM, Kevin A. McGrail wrote:

Jared, looks to me like an FP in Pyzor.


No doubt.  The 4.608 points for a single aberration seems reasonable.

-- Jared Hall


--
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

Re: FSL_BULK_SIG in 72_active.cf

2021-09-23 Thread Henrik K

On Thu, Sep 23, 2021 at 04:24:38PM -0400, Jared Hall wrote:
> Got a remote sender sending some pictures of property damage to be fixed.  
> It's
> all images.  The only text is:
> Sent from Yahoo Mail for iPhone
> 
> It hits Pyzor for some reason.  Get a PYZOR_CHECK=1.985.  Must've picked the
> wrong checksum, chief!

It only cares about the body, and that body has probably been reported
million times.

pyzor local_whitelist < message

pyzor digest < message
https://app.pyzor.org/whitelist/

Re: FSL_BULK_SIG in 72_active.cf

2021-09-23 Thread Jared Hall


On 9/23/2021 10:07 PM, Kevin A. McGrail wrote:

Jared, looks to me like an FP in Pyzor.


No doubt.  The 4.608 points for a single aberration seems reasonable.

-- Jared Hall

Re: FSL_BULK_SIG in 72_active.cf

2021-09-23 Thread Kevin A. McGrail

It hits Pyzor for some reason.  Get a PYZOR_CHECK=1.985.  Must've 
picked the wrong checksum, chief!


It does not appear that the actual rule matches the spirit of the rule.


Jared, looks to me like an FP in Pyzor.

--
Kevin A. McGrail
kmcgr...@apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

FSL_BULK_SIG in 72_active.cf

2021-09-23 Thread Jared Hall

Got a remote sender sending some pictures of property damage to be 
fixed.  It's all images.  The only text is:

Sent from Yahoo Mail for iPhone 

It hits Pyzor for some reason.  Get a PYZOR_CHECK=1.985.  Must've picked 
the wrong checksum, chief!


However, his messages also hit: FSL_BULK_SIG=2.623.  That's a meta in 
72_active.cf that looks ilke this:


meta FSL_BULK_SIG  (DCC_CHECK || RAZOR2_CHECK || 
PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK && 
!__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP_MESSY


DCC_CHECK = 0
RAZOR2_CHECK = 0
PYZOR_CHECK = 1

__FSL_HAS_LIST_UNSUB = 0
__UNSUB_LINK = 0
__RCVD_IN_DNSWL = 0
__JM_REACTOR_DATE = 0
__RCD_RDNS_SMTP_MESSY = 0

It does not appear that the actual rule matches the spirit of the rule.

Thoughts?

-- Jared Hall

Re: FSL_BULK_SIG in 72_active.cf

Re: FSL_BULK_SIG in 72_active.cf

Re: FSL_BULK_SIG in 72_active.cf

Re: FSL_BULK_SIG in 72_active.cf

Re: FSL_BULK_SIG in 72_active.cf

Re: FSL_BULK_SIG in 72_active.cf

Re: FSL_BULK_SIG in 72_active.cf

Re: FSL_BULK_SIG in 72_active.cf

Re: FSL_BULK_SIG in 72_active.cf

Re: FSL_BULK_SIG in 72_active.cf

FSL_BULK_SIG in 72_active.cf

11 matches

Site Navigation

Mail list logo

Footer information