On Sun, 29 Apr 2018, Sebastian Arcus wrote:
On 27/04/18 16:22, John Hardin wrote:
On Fri, 27 Apr 2018, Sebastian Arcus wrote:
On 27/04/18 10:49, Sebastian Arcus wrote:
I am getting some FP's with URI_TRY_3LD hitting the url get.adobe.com in
the body of emails:
Apr 27 10:45:39.330 [32173] dbg: rules: ran uri rule URI_TRY_3LD ======>
got hit: "http://get.adobe.com";
Would it be possible to add some exception to this rule - as many
legitimate emails containing invoice attachments in pdf include the above
url in the body.
It also appears to not like some DHL url's for some reason:
Apr 27 11:02:05.148 [32339] dbg: rules: ran uri rule URI_TRY_3LD ======>
got hit: "https://mybill.dhl.com";
my{mumble}.mumble.com is targeted. I'll think about that one; the rule
isn't scored highly and I could see that helping out to detect DHL
phishing.
If it is detecting DHL phishing is good - but if it is triggering on both
legitimate DHL emails and phishing emails, I'm not sure it is that useful?
It is if it's enough in concert with other rule hits to push the phish
over the limit while not doing so with legitimate DHL mails.
It's unrealistic to expect every spam rule to have a S/O of 1.000 (i.e.
*not hit* on any ham at all). SA has bunches of rules because it's the
*combination* of signs that are used to make the final decision.
And with this I'm not going to worry too much about it:
score URI_TRY_3LD 0.001 0.001 0.001 0.001
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
North Korea: the only country in the world where people would risk
execution to flee to communist China. -- Ride Fast
-----------------------------------------------------------------------
2 days until May Day - Remember 110 million people murdered by Communism
