Re: TVD_PH_SEC score problem
On Tue, 25 Apr 2017 08:40:27 -0400 Alex wrote: > Even 2.8 points for merely the word "xanax" alone, without any other > basis for consideration, sounds too high. Actually it's looking for something that looks like xanax, but isn't xanax. Unless I'm misunderstanding something, these FUZZY rules are all going to need some work following this: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7232 since they make heavy use of utf-8 byte sequences.
Re: TVD_PH_SEC score problem
Hi, On Mon, Apr 24, 2017 at 11:43 PM, Bill Cole wrote: > On 24 Apr 2017, at 21:35, Alex wrote: > >> Hi, >> Hi, this rule hit a citibank.com email. Adding 1.8 points simply for the phrase "your account security" does not seem reasonable. Apr 24 20:13:18.660 [28524] dbg: rules: ran body rule TVD_PH_SEC ==> got hit: "your account security" >>> >>> >>> What *else* hit? What was the final total score? >> >> >> It also hit a secondary RBL for an IP that it shouldn't have, as well >> as bayes00 and hostkarma_bl, totaling 5.044, making it spam. The IP >> that was hit was 52.40.63.1, mta1b3.c1-t.msyscloud.com. > > > Umm... > > # host 1.63.40.52.hostkarma.junkemailfilter.com > 1.63.40.52.hostkarma.junkemailfilter.com has address 127.0.1.1 > > # host mta1b3.c1-t.msyscloud.com.hostkarma.junkemailfilter.com > mta1b3.c1-t.msyscloud.com.hostkarma.junkemailfilter.com has address > 127.0.2.3 > mta1b3.c1-t.msyscloud.com.hostkarma.junkemailfilter.com has address > 127.0.1.1 > > You probably should not be treating those "experimental" result codes as > derogatory. 127.0.1.1 seems to be an assertion that the IP behaves in a > formally correct manner and 127.0.2.3 seems to mean that it's been sending > mail for over a week. These are both GOOD things. Yes, I said it was for an IP that shouldn't have hit hostkarma_bl. When this email was received on Apr 15th, it also hit hostkarma_bl. It's apparently been corrected. * 1.0 RCVD_IN_HOSTKARMA_BL RBL: Sender listed in HOSTKARMA-BLACK * [52.40.63.1 listed in hostkarma.junkemailfilter.com]
Re: TVD_PH_SEC score problem
Hi, >> It also hit a secondary RBL for an IP that it shouldn't have, as well >> as bayes00 and hostkarma_bl, totaling 5.044, making it spam. The IP >> that was hit was 52.40.63.1, mta1b3.c1-t.msyscloud.com. >> >> I would have included that initially, but I figured any one phrase >> shouldn't be enough to add more than 50% of the points with one >> rule... > > 50% of 5 points (the default "spam" score) is 2.5 points. This rule meets > your expectation. Yeah, at the time I wrote that I was thinking it scored 2.8 points, not 1.8, oops. >> Apr 24 20:40:33.583 [7613] dbg: rules: ran body rule LOW_PRICE ==> >> got hit: "Lowest Price" >> This added 1.5 points to an email discussing reservation pricing, >> making it spam. > > That along with everything else made it spam. > > I'm not trying to be difficult, but: what score *should* phishy/spammy > phrases be limited to? No, I'm sorry, these were all from separate emails. Sorry I wasn't more clear with all of this; it was the end of a long day. I don't think phishy/spammy phrases that are also extremely generic, common phrases found in everyday language should alone have a very high score at all. Even 2.8 points for merely the word "xanax" alone, without any other basis for consideration, sounds too high.
Re: TVD_PH_SEC score problem
It happened again. This is a kind of a recursion bomb ;-) Am 25.04.2017 um 03:35 schrieb Alex: > Pkte Regelname Beschreibung > -- -- > 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was > blocked. > See > > http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block > for more information. > [URIs: msyscloud.com] > 1.8 TVD_PH_SEC BODY: Message includes a phrase commonly used in > phishing > mails > 1.5 LOW_PRICE BODY: Niedrigste Preise > 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail > provider > (mysqlstudent[at]gmail.com) > 2.8 FUZZY_XPILLBODY: Attempt to obfuscate words in spam > -1.9 BAYES_00 BODY: Spamwahrscheinlichkeit nach Bayes-Test: 0-1% > [score: 0.] 1.5 > DRUGS_ANXIETY Erwähnt Medikament gegen Angstneurosen > 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid >
Re: TVD_PH_SEC score problem
On 24 Apr 2017, at 21:35, Alex wrote: Hi, Hi, this rule hit a citibank.com email. Adding 1.8 points simply for the phrase "your account security" does not seem reasonable. Apr 24 20:13:18.660 [28524] dbg: rules: ran body rule TVD_PH_SEC ==> got hit: "your account security" What *else* hit? What was the final total score? It also hit a secondary RBL for an IP that it shouldn't have, as well as bayes00 and hostkarma_bl, totaling 5.044, making it spam. The IP that was hit was 52.40.63.1, mta1b3.c1-t.msyscloud.com. Umm... # host 1.63.40.52.hostkarma.junkemailfilter.com 1.63.40.52.hostkarma.junkemailfilter.com has address 127.0.1.1 # host mta1b3.c1-t.msyscloud.com.hostkarma.junkemailfilter.com mta1b3.c1-t.msyscloud.com.hostkarma.junkemailfilter.com has address 127.0.2.3 mta1b3.c1-t.msyscloud.com.hostkarma.junkemailfilter.com has address 127.0.1.1 You probably should not be treating those "experimental" result codes as derogatory. 127.0.1.1 seems to be an assertion that the IP behaves in a formally correct manner and 127.0.2.3 seems to mean that it's been sending mail for over a week. These are both GOOD things.
Re: TVD_PH_SEC score problem
On Mon, 24 Apr 2017, Alex wrote: Hi, Hi, this rule hit a citibank.com email. Adding 1.8 points simply for the phrase "your account security" does not seem reasonable. Apr 24 20:13:18.660 [28524] dbg: rules: ran body rule TVD_PH_SEC ==> got hit: "your account security" What *else* hit? What was the final total score? It also hit a secondary RBL for an IP that it shouldn't have, as well as bayes00 and hostkarma_bl, totaling 5.044, making it spam. The IP that was hit was 52.40.63.1, mta1b3.c1-t.msyscloud.com. I would have included that initially, but I figured any one phrase shouldn't be enough to add more than 50% of the points with one rule... 50% of 5 points (the default "spam" score) is 2.5 points. This rule meets your expectation. In the last hour while going through other quarantined emails, I've discovered a few others: * 1.5 SUBJ_ALL_CAPS Subject is all capitals This one was from an email with an account number in the subject. Apr 24 20:40:33.583 [7613] dbg: rules: ran body rule LOW_PRICE ==> got hit: "Lowest Price" This added 1.5 points to an email discussing reservation pricing, making it spam. That along with everything else made it spam. I'm not trying to be difficult, but: what score *should* phishy/spammy phrases be limited to? Apr 24 21:06:31.842 [17649] dbg: rules: ran body rule FUZZY_XPILL ==> got hit: "х файлах" This added 2.8 points to a legitimate email in Russian. Apparently that resembles "xanax" That probably justifies an exclusion in that rule. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- An operating system design that requires a system reboot in order to install a document viewing utility does not earn my respect. --- 25 days since the first commercial re-flight of an orbital booster (SpaceX)
Re: TVD_PH_SEC score problem
Hi, >> Hi, this rule hit a citibank.com email. Adding 1.8 points simply for >> the phrase "your account security" does not seem reasonable. >> >> Apr 24 20:13:18.660 [28524] dbg: rules: ran body rule TVD_PH_SEC >> ==> got hit: "your account security" > > What *else* hit? What was the final total score? It also hit a secondary RBL for an IP that it shouldn't have, as well as bayes00 and hostkarma_bl, totaling 5.044, making it spam. The IP that was hit was 52.40.63.1, mta1b3.c1-t.msyscloud.com. I would have included that initially, but I figured any one phrase shouldn't be enough to add more than 50% of the points with one rule... In the last hour while going through other quarantined emails, I've discovered a few others: * 1.5 SUBJ_ALL_CAPS Subject is all capitals This one was from an email with an account number in the subject. Apr 24 20:40:33.583 [7613] dbg: rules: ran body rule LOW_PRICE ==> got hit: "Lowest Price" This added 1.5 points to an email discussing reservation pricing, making it spam. Apr 24 21:06:31.842 [17649] dbg: rules: ran body rule FUZZY_XPILL ==> got hit: "х файлах" This added 2.8 points to a legitimate email in Russian. Apparently that resembles "xanax"
Re: TVD_PH_SEC score problem
On Mon, 24 Apr 2017, Alex wrote: Hi, this rule hit a citibank.com email. Adding 1.8 points simply for the phrase "your account security" does not seem reasonable. Apr 24 20:13:18.660 [28524] dbg: rules: ran body rule TVD_PH_SEC ==> got hit: "your account security" What *else* hit? What was the final total score? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is criminal to teach a man not to defend himself when he is the constant victim of brutal attacks. -- Malcolm X (1964) --- 25 days since the first commercial re-flight of an orbital booster (SpaceX)
TVD_PH_SEC score problem
Hi, this rule hit a citibank.com email. Adding 1.8 points simply for the phrase "your account security" does not seem reasonable. Apr 24 20:13:18.660 [28524] dbg: rules: ran body rule TVD_PH_SEC ==> got hit: "your account security" Thanks, Alex
