Re: FP with URI_TRY_3LD on get.adobe.com

2018-04-29 Thread John Hardin 

On Sun, 29 Apr 2018, Sebastian Arcus wrote:



On 27/04/18 16:22, John Hardin wrote:

On Fri, 27 Apr 2018, Sebastian Arcus wrote:



On 27/04/18 10:49, Sebastian Arcus wrote:
I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in 
the body of emails:


Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ==> 
got hit: "http://get.adobe.com;


Would it be possible to add some exception to this rule - as many 
legitimate emails containing invoice attachments in pdf include the above 
url in the body.


It also appears to not like some DHL url's for some reason:

Apr 27 11:02:05.148 [32339] dbg: rules: ran uri rule URI_TRY_3LD ==> 
got hit: "https://mybill.dhl.com;


my{mumble}.mumble.com is targeted. I'll think about that one; the rule 
isn't scored highly and I could see that helping out to detect DHL 
phishing.


If it is detecting DHL phishing is good - but if it is triggering on both 
legitimate DHL emails and phishing emails, I'm not sure it is that useful?


It is if it's enough in concert with other rule hits to push the phish 
over the limit while not doing so with legitimate DHL mails.


It's unrealistic to expect every spam rule to have a S/O of 1.000 (i.e. 
*not hit* on any ham at all). SA has bunches of rules because it's the 
*combination* of signs that are used to make the final decision.


And with this I'm not going to worry too much about it:

  score URI_TRY_3LD0.001 0.001 0.001 0.001

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  North Korea: the only country in the world where people would risk
  execution to flee to communist China.  -- Ride Fast
---
 2 days until May Day - Remember 110 million people murdered by Communism

Re: FP with URI_TRY_3LD on get.adobe.com

2018-04-29 Thread Sebastian Arcus 


On 27/04/18 16:22, John Hardin wrote:

On Fri, 27 Apr 2018, Sebastian Arcus wrote:



On 27/04/18 10:49, Sebastian Arcus wrote:
I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com 
in the body of emails:


Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD 
==> got hit: "http://get.adobe.com;


Would it be possible to add some exception to this rule - as many 
legitimate emails containing invoice attachments in pdf include the 
above url in the body.


It also appears to not like some DHL url's for some reason:

Apr 27 11:02:05.148 [32339] dbg: rules: ran uri rule URI_TRY_3LD 
==> got hit: "https://mybill.dhl.com;


my{mumble}.mumble.com is targeted. I'll think about that one; the rule 
isn't scored highly and I could see that helping out to detect DHL 
phishing.


If it is detecting DHL phishing is good - but if it is triggering on 
both legitimate DHL emails and phishing emails, I'm not sure it is that 
useful?

Re: FP with URI_TRY_3LD on get.adobe.com

2018-04-29 Thread Sebastian Arcus 


On 27/04/18 16:19, John Hardin wrote:

On Fri, 27 Apr 2018, Sebastian Arcus wrote:

I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com 
in the body of emails:


Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD 
==> got hit: "http://get.adobe.com;


Would it be possible to add some exception to this rule - as many 
legitimate emails containing invoice attachments in pdf include the 
above url in the body.


Fixed.


Thank you

Re: FP with URI_TRY_3LD on get.adobe.com

2018-04-27 Thread John Hardin 

On Fri, 27 Apr 2018, Sebastian Arcus wrote:



On 27/04/18 10:49, Sebastian Arcus wrote:
I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in 
the body of emails:


Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ==> 
got hit: "http://get.adobe.com;


Would it be possible to add some exception to this rule - as many 
legitimate emails containing invoice attachments in pdf include the above 
url in the body.


It also appears to not like some DHL url's for some reason:

Apr 27 11:02:05.148 [32339] dbg: rules: ran uri rule URI_TRY_3LD ==> got 
hit: "https://mybill.dhl.com;


my{mumble}.mumble.com is targeted. I'll think about that one; the rule 
isn't scored highly and I could see that helping out to detect DHL 
phishing.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  the Internal Revenue Service has an "impressive history ... of
  storing [data] carelessly, leaking data through every possible
  conduit, and hiring employees who appear to only marginally prefer
  a career in tax collection over knocking over liquor stores."
-- Reason's J.D. Tuccille
---
 4 days until May Day - Remember 110 million people murdered by Communism

Re: FP with URI_TRY_3LD on get.adobe.com

2018-04-27 Thread Kevin A. McGrail 
 If this is causing the entire mail to be flagged as SPAM, we need to see
the entire FP not just a hit on one rule.  That rule has a max 0.8 score.

Though it does appear to be hitting on more than intended though.

Anyone know what it is supposed to hit because I think it might be hitting
on a lot more than intended?

Regards,
KAM


--
Kevin A. McGrail
Asst. Treasurer & VP Fundraising, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

On Fri, Apr 27, 2018 at 6:03 AM, Sebastian Arcus 
wrote:

>
> On 27/04/18 10:49, Sebastian Arcus wrote:
>
>> I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in
>> the body of emails:
>>
>> Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ==>
>> got hit: "http://get.adobe.com;
>>
>> Would it be possible to add some exception to this rule - as many
>> legitimate emails containing invoice attachments in pdf include the above
>> url in the body.
>>
>
> It also appears to not like some DHL url's for some reason:
>
> Apr 27 11:02:05.148 [32339] dbg: rules: ran uri rule URI_TRY_3LD ==>
> got hit: "https://mybill.dhl.com;
>

Re: FP with URI_TRY_3LD on get.adobe.com

2018-04-27 Thread John Hardin 

On Fri, 27 Apr 2018, Sebastian Arcus wrote:

I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in the 
body of emails:


Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ==> got 
hit: "http://get.adobe.com;


Would it be possible to add some exception to this rule - as many legitimate 
emails containing invoice attachments in pdf include the above url in the 
body.


Fixed.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  the Internal Revenue Service has an "impressive history ... of
  storing [data] carelessly, leaking data through every possible
  conduit, and hiring employees who appear to only marginally prefer
  a career in tax collection over knocking over liquor stores."
-- Reason's J.D. Tuccille
---
 4 days until May Day - Remember 110 million people murdered by Communism

Re: FP with URI_TRY_3LD on get.adobe.com

2018-04-27 Thread Sebastian Arcus 


On 27/04/18 10:49, Sebastian Arcus wrote:
I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in 
the body of emails:


Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ==> 
got hit: "http://get.adobe.com;


Would it be possible to add some exception to this rule - as many 
legitimate emails containing invoice attachments in pdf include the 
above url in the body.


It also appears to not like some DHL url's for some reason:

Apr 27 11:02:05.148 [32339] dbg: rules: ran uri rule URI_TRY_3LD ==> 
got hit: "https://mybill.dhl.com;