Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On Fri, 13 Apr 2018, Sebastian Arcus wrote: On 13/04/18 11:36, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule: Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://myturbotax.intuit.com"; On a slightly different note, and mainly for my curiosity to understand SA rules syntax, in 72_active.cf, the score seems to be commented out: #score URI_TRY_3LD 2.000 # limit But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags publish. Is that a location on the SA server - or am I suppose to have those dirs locally here? I can't seem to find them anywhere locally. That's in SVN (the SA source code). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Individual liberties are always "loopholes" to absolute authority. --- Today: Thomas Jefferson's 275th Birthday
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On 13/04/18 16:39, John Hardin wrote: On Fri, 13 Apr 2018, John Hardin wrote: On Fri, 13 Apr 2018, John Hardin wrote: On Fri, 13 Apr 2018, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? The score in the current update is 0.001 across the board. Are you up-to-date and are you *sure* you don't have any overrides anywhere? 72_scores.cf:score URI_TRY_3LD 0.001 0.001 0.001 0.001 OK - after more digging it surfaced that the original report with 2.0 score is from a different server than the one I am testing on. That server has 2.0 scores in 4.00/updates_spamassassin_org/72_active.cf When trying to run sa-update on that server, I am getting errors, so it must be that SA stopped updating a while ago there. I will dig in and find out why. Thank you for flagging the fact that the default score on the current configs is not supposed to be 2.0!
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On 13/04/18 11:36, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule: Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://myturbotax.intuit.com"; On a slightly different note, and mainly for my curiosity to understand SA rules syntax, in 72_active.cf, the score seems to be commented out: #score URI_TRY_3LD 2.000 # limit But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags publish. Is that a location on the SA server - or am I suppose to have those dirs locally here? I can't seem to find them anywhere locally.
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On 13 Apr 2018, at 6:36 (-0400), Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule: Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://myturbotax.intuit.com"; On a slightly different note, and mainly for my curiosity to understand SA rules syntax, in 72_active.cf, the score seems to be commented out: #score URI_TRY_3LD 2.000 # limit But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). That's exceedingly unusual and difficult to explain... Is this a special form of SA syntax? No, it is an artifact of how sandbox rules are included in the published rules. the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags publish. Giovanni Yes, but it is published in 72_scores.cf with a trivial score: score URI_TRY_3LD 0.001 0.001 0.001 0.001 -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Currently Seeking Steady Work: https://linkedin.com/in/billcole
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On Fri, 13 Apr 2018, John Hardin wrote: On Fri, 13 Apr 2018, John Hardin wrote: On Fri, 13 Apr 2018, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? The score in the current update is 0.001 across the board. Are you up-to-date and are you *sure* you don't have any overrides anywhere? 72_scores.cf:score URI_TRY_3LD0.001 0.001 0.001 0.001 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- How do you argue with people to whom math is an opinion? -- Unknown --- Today: Thomas Jefferson's 275th Birthday
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On Fri, 13 Apr 2018, John Hardin wrote: On Fri, 13 Apr 2018, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule: Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://myturbotax.intuit.com"; On a slightly different note, and mainly for my curiosity to understand SA rules syntax, in 72_active.cf, the score seems to be commented out: #score URI_TRY_3LD 2.000 # limit But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags publish. Giovanni When a "score" line is present in a sandbox, that means the masscheck score assignment process will limit the score it calculates to that. If it's commented out or not present, then the masscheck process can assign however high a score it likes based on the rule's performance against the masscheck corpora. I'll take a look at that rule, I don't remember offhand what I intended it for. It's fairly broad, intended to hit things like "tryviagra.mumble.com". It's hitting on the "my" prefix on the hostname. I'll add an exclusion. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- How do you argue with people to whom math is an opinion? -- Unknown --- Today: Thomas Jefferson's 275th Birthday
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On Fri, 13 Apr 2018, Giovanni Bechis wrote: On 04/13/18 09:06, Sebastian Arcus wrote: Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule: Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://myturbotax.intuit.com"; On a slightly different note, and mainly for my curiosity to understand SA rules syntax, in 72_active.cf, the score seems to be commented out: #score URI_TRY_3LD 2.000 # limit But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags publish. Giovanni When a "score" line is present in a sandbox, that means the masscheck score assignment process will limit the score it calculates to that. If it's commented out or not present, then the masscheck process can assign however high a score it likes based on the rule's performance against the masscheck corpora. I'll take a look at that rule, I don't remember offhand what I intended it for. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- How do you argue with people to whom math is an opinion? -- Unknown --- Today: Thomas Jefferson's 275th Birthday
Re: URI_TRY_3LD fp's with QuickBooks Intuit emails
On 04/13/18 09:06, Sebastian Arcus wrote: > Hello all. I am getting some fp's with emails from QuickBooks / Intuit with > the above rule: > > Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got > hit: "https://myturbotax.intuit.com"; > > On a slightly different note, and mainly for my curiosity to understand SA > rules syntax, in 72_active.cf, the score seems to be commented out: > > #score URI_TRY_3LD 2.000 # limit > > But when it hits, it still adds 2.0 to the score (and I haven't customized > the score anywhere else). Is this a special form of SA syntax? > the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags publish. Giovanni
URI_TRY_3LD fp's with QuickBooks Intuit emails
Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule: Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ==> got hit: "https://myturbotax.intuit.com"; On a slightly different note, and mainly for my curiosity to understand SA rules syntax, in 72_active.cf, the score seems to be commented out: #score URI_TRY_3LD 2.000 # limit But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax? Thank you for any answers
