Re: new rule for kam :)
On Thu, 24 Aug 2023, Matus UHLAR - fantomas wrote:
On 23.08.23 15:24, Benny Pedersen wrote:
# test for empty src="" or empty href=""
rawbody __HREF_EMPTY /href=\"\"/
rawbody __SRC_EMPTY /src=\"\"/
meta LOCAL_BADLY_HTML (__HREF_EMPTY || __SRC_EMPTY)
describe LOCAL_BADLY_HTML Meta: __HREF_EMPTY || __SRC_EMPTY
score LOCAL_BADLY_HTML 3 3 3 3
too much spams in hotmail
not so good numbers here. Only spam that wasn't rejected here:
% grep -c '^From ' spam
9332
% grep -Fc 'src=""' spam
3
% grep -Fc 'href=""' spam
18
Not so great in masschecks, either:
SPAM% HAM%S/O RANKSCORE NAME
0.1225 0.2296 0.348 0.42(n/a) __SRC_EMPTY
0.5682 1.8685 0.233 0.41(n/a) __HREF_EMPTY
https://ruleqa.spamassassin.org/20230824-r1911889-n/__SRC_EMPTY/detail
https://ruleqa.spamassassin.org/20230824-r1911889-n/__HREF_EMPTY/detail
They might be useful in metas with other conditions, but not in isolation.
overlap spam: 81% of __HREF_EMPTY hits also hit T_FSL_RCVD_TR_1; 1% of
T_FSL_RCVD_TR_1 hits also hit __HREF_EMPTY (ham 1%)
overlap spam: 42% of __HREF_EMPTY hits also hit __HAS_X_AUTHED_SENDER;
19% of __HAS_X_AUTHED_SENDER hits also hit __HREF_EMPTY (ham 1%)
I'll add a few of those to see how they do.
F'ing legit emailers that generate crap HTML {fume}
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Once more, please; I missed it the last time: what's the difference
between "Quantitative Easing" and "Counterfeiting"?
---
4 days until Exercise Your Rights day
Re: new rule for kam :)
Hi, On Wed, Aug 23, 2023 at 06:14:45PM -0700, John Hardin wrote: > On Wed, 23 Aug 2023, Andy Smith wrote: > > On Wed, Aug 23, 2023 at 03:24:22PM +0200, Benny Pedersen wrote: > > > # test for empty src="" or empty href="" > > > rawbody __HREF_EMPTY /href=\"\"/ > > > rawbody __SRC_EMPTY /src=\"\"/ > > > > I checked this against about 80k of my recent personal emails and it > > matched quite a lot of previously not found spam, but did also match > > on every auto response from one of my suppliers. It seems after > > every customer service interaction they send a "how did we do? fill > > in this survey" email from qualtrics.com which contains: > > > > > > > > It wouldn't be much of a loss, but it's not spam either. > > How did they perform individually? The only non-spam that matched for me was the above, with src="". Everything with href="" was spam. There was some overlap — some spam had both — but some spam had only href="" and some spam had only src="". I'm sure KAM has a much bigger corpus to do automated tests on… Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: new rule for kam :)
On 23.08.23 15:24, Benny Pedersen wrote: # test for empty src="" or empty href="" rawbody __HREF_EMPTY /href=\"\"/ rawbody __SRC_EMPTY /src=\"\"/ meta LOCAL_BADLY_HTML (__HREF_EMPTY || __SRC_EMPTY) describe LOCAL_BADLY_HTML Meta: __HREF_EMPTY || __SRC_EMPTY score LOCAL_BADLY_HTML 3 3 3 3 too much spams in hotmail not so good numbers here. Only spam that wasn't rejected here: % grep -c '^From ' spam 9332 % grep -Fc 'src=""' spam 3 % grep -Fc 'href=""' spam 18 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
Re: new rule for kam :)
On Wed, 23 Aug 2023, Benny Pedersen wrote: # test for empty src="" or empty href="" rawbody __HREF_EMPTY /href=\"\"/ rawbody __SRC_EMPTY /src=\"\"/ meta LOCAL_BADLY_HTML (__HREF_EMPTY || __SRC_EMPTY) describe LOCAL_BADLY_HTML Meta: __HREF_EMPTY || __SRC_EMPTY score LOCAL_BADLY_HTML 3 3 3 3 too much spams in hotmail I'll put the subrules in my sandbox so they can be evaluated by masscheck. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Maxim XI: Everything is air-droppable at least once. --- 5 days until Exercise Your Rights day
Re: new rule for kam :)
On Wed, 23 Aug 2023, Andy Smith wrote: Hello, On Wed, Aug 23, 2023 at 03:24:22PM +0200, Benny Pedersen wrote: # test for empty src="" or empty href="" rawbody __HREF_EMPTY /href=\"\"/ rawbody __SRC_EMPTY /src=\"\"/ I checked this against about 80k of my recent personal emails and it matched quite a lot of previously not found spam, but did also match on every auto response from one of my suppliers. It seems after every customer service interaction they send a "how did we do? fill in this survey" email from qualtrics.com which contains: It wouldn't be much of a loss, but it's not spam either. How did they perform individually? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #4: If your shooting stance is good, you're probably not moving fast enough nor using cover correctly. --- 5 days until Exercise Your Rights day
Re: new rule for kam :)
Hello, On Wed, Aug 23, 2023 at 03:24:22PM +0200, Benny Pedersen wrote: > # test for empty src="" or empty href="" > rawbody __HREF_EMPTY /href=\"\"/ > rawbody __SRC_EMPTY /src=\"\"/ I checked this against about 80k of my recent personal emails and it matched quite a lot of previously not found spam, but did also match on every auto response from one of my suppliers. It seems after every customer service interaction they send a "how did we do? fill in this survey" email from qualtrics.com which contains: It wouldn't be much of a loss, but it's not spam either. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: new rule for kam :)
Denny Jones via users skrev den 2023-08-23 19:41: Just a question about the scoring... +1 What does the 4 "3's" mean at the end of the score? if just one score is giving, its defaults to all score sets, but if 4 3 is defined, its basicly same on all score sets :) i just lost what the score sets is I would have written it like this: score LOCAL_BADLY_HTML 3.0 spamassassin is opensource, so perfectly no problem all those that reads help me improve it, i am unsure if i should anchor it or not
Re: new rule for kam :)
Just a question about the scoring... What does the 4 "3's" mean at the end of the score? I would have written it like this:score LOCAL_BADLY_HTML 3.0 On Wednesday, August 23, 2023 at 08:24:39 AM CDT, Benny Pedersen wrote: # test for empty src="" or empty href="" rawbody __HREF_EMPTY /href=\"\"/ rawbody __SRC_EMPTY /src=\"\"/ meta LOCAL_BADLY_HTML (__HREF_EMPTY || __SRC_EMPTY) describe LOCAL_BADLY_HTML Meta: __HREF_EMPTY || __SRC_EMPTY score LOCAL_BADLY_HTML 3 3 3 3 too much spams in hotmail
new rule for kam :)
# test for empty src="" or empty href="" rawbody __HREF_EMPTY /href=\"\"/ rawbody __SRC_EMPTY /src=\"\"/ meta LOCAL_BADLY_HTML (__HREF_EMPTY || __SRC_EMPTY) describe LOCAL_BADLY_HTML Meta: __HREF_EMPTY || __SRC_EMPTY score LOCAL_BADLY_HTML 3 3 3 3 too much spams in hotmail
