On Tue, 28 Nov 2017, RW wrote:
On Mon, 27 Nov 2017 17:37:35 -0800 (PST)
John Hardin wrote:
The ".date" TLD just started bombarding my inbox...
score FROM_RARE_TLD 3.000
score REPTO_RARE_TLD 3.000
score URI_RARE_TLD 3.000
It's pretty common for the author domain to be in the body of an
email and/or a reply-to header. With "parse_dkim_uris 1", URI_RARE_TLD
can also come from an author DKIM signature.
I don't think it's sensible to score them this way, it's a lottery
between conservative and full poison pill.
True, the scoring should be site-specific. Poison pill works *for me*,
because my volume is low and I quarantine everything SA rejects for review
(and inclusion in my masscheck corpora).
In the future I'll omit the score lines when I post updated REs.
Everybody: take the scores for these rules (same as the scores for *any*
rules posted to the list) with a grain of salt.
I haven't look into this in
detail, but I'd probably go for something like:
meta ADDR_RARE_TLD __REPTO_RARE_TLD || __FROM_RARE_TLD
meta URI_RARE_TLD __URI_RARE_TLD && !ADDR_RARE_TLD
a single meta rule might do, but people seem to be less conservative
about using new TLDs on websites, and there's an additional risk of URI
FPs from typos.
Those are certainly possibilities.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
243 days since the first commercial re-flight of an orbital booster (SpaceX)