URI_DOTDOT_LOW_CNTRST false positives?
I've recently upgraded to SA 3.4.0 - I'm seeing URI_DOTDOT_LOW_CNTRST scoring on many legitimate mails. E.g. from linkedin and distrelec. For instance: http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml When the above was processed I noticed this in the log: spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. type=A class=IN) failed: a domain name contains a null label As far as I can tell, the email above contains no such uri. I grep'ed a bit and found some more: http://files.jessen.ch/more-dotdot.txt I'm pretty certain 99% of those are false positives. Probably a hiccup on my installation, I was just wondering if anyone else is seeing this? -- Per Jessen, Zürich (6.3°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.
Re: URI_DOTDOT_LOW_CNTRST false positives?
On 03/16/2015 10:54 AM, Per Jessen wrote: I've recently upgraded to SA 3.4.0 - I'm seeing URI_DOTDOT_LOW_CNTRST scoring on many legitimate mails. E.g. from linkedin and distrelec. For instance: http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml When the above was processed I noticed this in the log: spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. type=A class=IN) failed: a domain name contains a null label As far as I can tell, the email above contains no such uri. I grep'ed a bit and found some more: http://files.jessen.ch/more-dotdot.txt I'm pretty certain 99% of those are false positives. Probably a hiccup on my installation, I was just wondering if anyone else is seeing this? Which .cf file is this in? Can't find it in SA trunk's .cf files.
Re: URI_DOTDOT_LOW_CNTRST false positives?
On 03/16/2015 11:05 AM, Axb wrote: On 03/16/2015 10:54 AM, Per Jessen wrote: I've recently upgraded to SA 3.4.0 - I'm seeing URI_DOTDOT_LOW_CNTRST scoring on many legitimate mails. E.g. from linkedin and distrelec. For instance: http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml When the above was processed I noticed this in the log: spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. type=A class=IN) failed: a domain name contains a null label As far as I can tell, the email above contains no such uri. I grep'ed a bit and found some more: http://files.jessen.ch/more-dotdot.txt I'm pretty certain 99% of those are false positives. Probably a hiccup on my installation, I was just wondering if anyone else is seeing this? Which .cf file is this in? Can't find it in SA trunk's .cf files. ok.. sorry - found it but atm it seems it isn't being autopromoted have you run a recent sa-update ? John Hardin, your sandbox limit score of 2.5 seems sorta high..
Re: URI_DOTDOT_LOW_CNTRST false positives?
Axb wrote: > On 03/16/2015 11:05 AM, Axb wrote: >> On 03/16/2015 10:54 AM, Per Jessen wrote: >>> I've recently upgraded to SA 3.4.0 - I'm seeing >>> URI_DOTDOT_LOW_CNTRST scoring on many legitimate mails. E.g. from >>> linkedin and distrelec. >>> >>> For instance: >>> http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml >>> >>> >>> When the above was processed I noticed this in the log: >>> >>> spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. type=A >>> class=IN) failed: a domain name contains a null label >>> >>> As far as I can tell, the email above contains no such uri. >>> >>> I grep'ed a bit and found some more: >>> >>> http://files.jessen.ch/more-dotdot.txt >>> >>> I'm pretty certain 99% of those are false positives. Probably a >>> hiccup on my installation, I was just wondering if anyone else is >>> seeing this? >> >> Which .cf file is this in? >> Can't find it in SA trunk's .cf files. >> > > ok.. sorry - found it but atm it seems it isn't being autopromoted > > > have you run a recent sa-update ? I think the ruleset is from the tarball from the apache page. Hmm, it would appear to be quite old ?? http://mirror.reverse.net/pub/apache//spamassassin/source/Mail-SpamAssassin-rules-3.4.0.r1565117.tgz Dated 20Feb2014. Is there a recent tarball somewhere? -- Per Jessen, Zürich (8.2°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.
Re: URI_DOTDOT_LOW_CNTRST false positives?
On 03/16/2015 11:28 AM, Per Jessen wrote: Axb wrote: On 03/16/2015 11:05 AM, Axb wrote: On 03/16/2015 10:54 AM, Per Jessen wrote: I've recently upgraded to SA 3.4.0 - I'm seeing URI_DOTDOT_LOW_CNTRST scoring on many legitimate mails. E.g. from linkedin and distrelec. For instance: http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml When the above was processed I noticed this in the log: spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. type=A class=IN) failed: a domain name contains a null label As far as I can tell, the email above contains no such uri. I grep'ed a bit and found some more: http://files.jessen.ch/more-dotdot.txt I'm pretty certain 99% of those are false positives. Probably a hiccup on my installation, I was just wondering if anyone else is seeing this? Which .cf file is this in? Can't find it in SA trunk's .cf files. ok.. sorry - found it but atm it seems it isn't being autopromoted have you run a recent sa-update ? I think the ruleset is from the tarball from the apache page. Hmm, it would appear to be quite old ?? http://mirror.reverse.net/pub/apache//spamassassin/source/Mail-SpamAssassin-rules-3.4.0.r1565117.tgz Dated 20Feb2014. Is there a recent tarball somewhere? iirc, that is the 3.4 release rules version sa-update would provide the latest ruleset
Re: URI_DOTDOT_LOW_CNTRST false positives?
Axb wrote: > On 03/16/2015 11:28 AM, Per Jessen wrote: >> Axb wrote: >> >>> On 03/16/2015 11:05 AM, Axb wrote: On 03/16/2015 10:54 AM, Per Jessen wrote: > I've recently upgraded to SA 3.4.0 - I'm seeing > URI_DOTDOT_LOW_CNTRST scoring on many legitimate mails. E.g. from > linkedin and distrelec. > > For instance: > >> http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml > > > When the above was processed I noticed this in the log: > > spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. > type=A class=IN) failed: a domain name contains a null label > > As far as I can tell, the email above contains no such uri. > > I grep'ed a bit and found some more: > > http://files.jessen.ch/more-dotdot.txt > > I'm pretty certain 99% of those are false positives. Probably a > hiccup on my installation, I was just wondering if anyone else is > seeing this? Which .cf file is this in? Can't find it in SA trunk's .cf files. >>> >>> ok.. sorry - found it but atm it seems it isn't being autopromoted >>> >>> >>> have you run a recent sa-update ? >> >> I think the ruleset is from the tarball from the apache page. Hmm, >> it would appear to be quite old ?? >> >> http://mirror.reverse.net/pub/apache//spamassassin/source/Mail-SpamAssassin-rules-3.4.0.r1565117.tgz >> >> Dated 20Feb2014. >> >> Is there a recent tarball somewhere? > > iirc, that is the 3.4 release rules version > > sa-update would provide the latest ruleset Yup, got it. Might not be a bad idea if the apache downloads page had a link to the most recent rule-set too. (or even instead of the original). Anyway, problem solved, thanks. -- Per Jessen, Zürich (8.4°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.
Re: URI_DOTDOT_LOW_CNTRST false positives?
On March 16, 2015 10:55:22 AM Per Jessen wrote: spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. type=A class=IN) failed: a domain name contains a null label uri with ..
Re: URI_DOTDOT_LOW_CNTRST false positives?
On 03/16/2015 10:54 AM, Per Jessen wrote: I've recently upgraded to SA 3.4.0 - I'm seeing URI_DOTDOT_LOW_CNTRST scoring on many legitimate mails. E.g. from linkedin and distrelec. For instance: http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml When the above was processed I noticed this in the log: spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. type=A class=IN) failed: a domain name contains a null label As far as I can tell, the email above contains no such uri. I grep'ed a bit and found some more: http://files.jessen.ch/more-dotdot.txt I'm pretty certain 99% of those are false positives. Probably a hiccup on my installation, I was just wondering if anyone else is seeing this? your more-dotdot.txt log shows what could be a bug somewhere. Pls open a bug & attach that log and the distrelec news eml with all relevant detail if you have more verified sample msgs which don't include a .. in the URL yet log .., pls attach a few for dev team to work with. Thanks Axb
Re: URI_DOTDOT_LOW_CNTRST false positives?
On 03/16/2015 11:43 AM, Per Jessen wrote: Axb wrote: On 03/16/2015 11:28 AM, Per Jessen wrote: Axb wrote: On 03/16/2015 11:05 AM, Axb wrote: On 03/16/2015 10:54 AM, Per Jessen wrote: I've recently upgraded to SA 3.4.0 - I'm seeing URI_DOTDOT_LOW_CNTRST scoring on many legitimate mails. E.g. from linkedin and distrelec. For instance: http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml When the above was processed I noticed this in the log: spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. type=A class=IN) failed: a domain name contains a null label As far as I can tell, the email above contains no such uri. I grep'ed a bit and found some more: http://files.jessen.ch/more-dotdot.txt I'm pretty certain 99% of those are false positives. Probably a hiccup on my installation, I was just wondering if anyone else is seeing this? Which .cf file is this in? Can't find it in SA trunk's .cf files. ok.. sorry - found it but atm it seems it isn't being autopromoted have you run a recent sa-update ? I think the ruleset is from the tarball from the apache page. Hmm, it would appear to be quite old ?? http://mirror.reverse.net/pub/apache//spamassassin/source/Mail-SpamAssassin-rules-3.4.0.r1565117.tgz Dated 20Feb2014. Is there a recent tarball somewhere? iirc, that is the 3.4 release rules version sa-update would provide the latest ruleset Yup, got it. Might not be a bad idea if the apache downloads page had a link to the most recent rule-set too. (or even instead of the original). for review before applying I often use sa-update -D --updatedir /tmp/sa-work This gets the latest tarball and unpacks the rules Should be trivial to hack sa-update so it just gets the latest archive. Putting on the downloads page means it has to be watched that all mirrors are in sync... the update mirrors are easier to control. Anyway, problem solved, thanks. My pleasure... Axb