Re: KHOP_RCVD_TRUST
Dennis B. Hopp began: >>> I received the following e-mail http://pastebin.com/JXr9buxi >>> >>> It had a total score of 4.973 (blocked at 5). [...] it hit: >>> >>> KHOP_RCVD_TRUST=-1.75,RCVD_IN_DNSWL_MED=-0.5,SPF_PASS=-0.001 Michael Scheidell responded: >> is that an old rule? i just checked SA updates, and I don't see >> that rule in current SA 3.3.1 >> >> so, who is KHOP? I looked in rule sets and don't know them. >> were these rules inherited form some outside trusted source? KHOP is short for khopesh (or khopis), which are my handles. I've quite purposefully left rules like KHOP_RCVD_TRUST and other adjustors out of subversion despite that the lion's share of the khop-* channels' content is. This is because they would radically change the way that SpamAssassin scores things (for the better in my opinion, but that will cause some level of debate that I don't have the time to participate in at the moment). The gist of KHOP_RCVD_TRUST and its companion KHOP_RCVD_UNTRUST, the former of which was well summarized by Greg, is simple: Give a boost to non-overlapping* whitelisted relays that provide assurance against spoofing and reduce the trust factor on whitelisted relays that lack it. (* if it's already listed in multiple relay whitelists, there's no need to help the negative score.) Trust within whitelists is (in my opinion) is a little too strongly placed, especially given how much harder it is to remove a whitelisted relay from a DNS-whitelist than it is to remove a blacklisted relay from a DNSBL. Furthermore, any sender who goes to the trouble of getting on a DNS-whitelist is probably also going to set up SPF or DKIM to assure users against spoofing, which means they'll hit KHOP_RCVD_TRUST and not its companion. Dennis B. Hopp then wrote: > http://khopesh.com/wiki/Anti-spam#sa-update_channels > > Some of his rules I believe have been incorporated into mainline > sa. I'm using 3.3.1. I just got an update from some of the KHOP > channels yesterday so they appeared to be maintained. Yes, some of my channel's rules have found their way into the 3.3 branch, specifically DEAR_EMAIL, HELO_NO_DOMAIN, and TWO_IPS_RCVD. It took me a while to dig through SA3.3 and clean up my rules to play nice with it, and I've been busy on other projects so the channels only got minor updates as they worked pretty well. Since khop-sc-neighbors is an automatically updated channel, it been updated continuously during this period. As noted in bug 6114 and bug 6390, I've recently finished rigging unattended automatic svn checkins so that it is up to date for masscheck, too.
Re: KHOP_RCVD_TRUST
On Fri, 2010-03-26 at 11:35 -0400, Michael Scheidell wrote:
> so, who is KHOP? I looked in rule sets and don't know them. were these
> rules inherited form some outside trusted source?
grep -lr KHOP trunk/rules*
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: KHOP_RCVD_TRUST
On Fri, 2010-03-26 at 11:35 -0400, Michael Scheidell wrote: > > On 3/26/10 10:41 AM, Dennis B. Hopp wrote: > > I received the following e-mail > > > > http://pastebin.com/JXr9buxi > > > > It had a total score of 4.973 (blocked at 5). Among other rules it hit: > > > > KHOP_RCVD_TRUST=-1.75,RCVD_IN_DNSWL_MED=-0.5,SPF_PASS=-0.001 > > > > > is that an old rule? i just checked SA updates, and I don't see that > rule in current SA 3.3.1 > > so, who is KHOP? I looked in rule sets and don't know them. were these > rules inherited form some outside trusted source? > > http://khopesh.com/wiki/Anti-spam#sa-update_channels Some of his rules I believe have been incorporated into mainline sa. I'm using 3.3.1. I just got an update from some of the KHOP channels yesterday so they appeared to be maintained. --Dennis
Re: KHOP_RCVD_TRUST
On 3/26/10 10:41 AM, Dennis B. Hopp wrote: I received the following e-mail http://pastebin.com/JXr9buxi It had a total score of 4.973 (blocked at 5). Among other rules it hit: KHOP_RCVD_TRUST=-1.75,RCVD_IN_DNSWL_MED=-0.5,SPF_PASS=-0.001 is that an old rule? i just checked SA updates, and I don't see that rule in current SA 3.3.1 so, who is KHOP? I looked in rule sets and don't know them. were these rules inherited form some outside trusted source? -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 __ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ __
Re: KHOP_RCVD_TRUST
"Dennis B. Hopp" writes: > I received the following e-mail > > http://pastebin.com/JXr9buxi > > It had a total score of 4.973 (blocked at 5). Among other rules it hit: > > KHOP_RCVD_TRUST=-1.75,RCVD_IN_DNSWL_MED=-0.5,SPF_PASS=-0.001 > > So is the KHOP_RCVD_TRUST score too low? Should I possibly consider > making that -0.75 or something? Is there a way to report FP to KHOP? I don't think it's not a KHOP FP, but a DNSWL FP. If you got spam from a DNSWL MED listed host, by all means report it to adm...@dnswl.org. KHOP_RCVD_TRUST, is supposed to lower the score of a mail that is DKIM signed or passes SPF hits a whitelist doesn't hit lots of whitelists I suggest reading the rules to really be clear on it. I don't really understand why this is a good idea; most if not all of the whitelists are based on the IP address of the sender. I get spam From whitelisted hosts all the time (facebook is particualrly bad), but spf/dkim won't help - the spam really is from them. I hadn't really paid attention to this before, but I just changed the score (leaving it non-zero so I'll notice it on FPs and perhaps reconsider - I filter to spam filter at 1 point). score KHOP_RCVD_TRUST -0.1 pgpBe1igI10Fc.pgp Description: PGP signature
KHOP_RCVD_TRUST
I received the following e-mail http://pastebin.com/JXr9buxi It had a total score of 4.973 (blocked at 5). Among other rules it hit: KHOP_RCVD_TRUST=-1.75,RCVD_IN_DNSWL_MED=-0.5,SPF_PASS=-0.001 So is the KHOP_RCVD_TRUST score too low? Should I possibly consider making that -0.75 or something? Is there a way to report FP to KHOP? Thanks, --Dennis
