On 2024-12-14 at 15:20:41 UTC-0500 (Sat, 14 Dec 2024 12:20:41 -0800
(PST))
John Hardin <[email protected]>
is rumored to have said:
On Sat, 14 Dec 2024, Bill Cole wrote:
On 2024-12-13 at 06:53:59 UTC-0500 (Fri, 13 Dec 2024 12:53:59 +0100)
Kirill A. Korinsky <[email protected]>
is rumored to have said:
Dear SA users,
I'd like to share with you a patch which allows me to catch an
offering
SEO
spam which I've encountered in my INBOX quite a few missed for last
weeks.
Changes:
1. adds .xyz as suspicious zone because namecheap sells this domain
for
~€1;
That's not (in itself) enough for use to include it in that list.
See https://ruleqa.spamassassin.org/20241207-r1922358-n/%2FTLD_XYZ
That shows the performance of a rule that has been in testing for
some time which matches any *.xyz address in the From header. It
routinely scores in the 0.7-0.8 range on the "S/O" ratio, indicating
that roughly 1 in every 4 messages that it matches is NOT spam. That
is too high for inclusion in the default "suspicious TLD" list.
What level would you consider acceptable?
I think this is just on the edge. If the test rule had ever been deemed
"good enough" by the RuleQA promotion algorithm I would have no qualms
about returning .xyz to the suspicious TLD lists.
I'm fine with it going either way, as the RuleQA results indicate that
there is very little relevant mail of any sort, ham or spam, so the
potential harm is trivial. I removed it ~18 months ago
(https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8075#c6) based on
the S/O of the test rule at the time, which was somewhat lower than it
has been in recent weeks.
Obviously, any SA deployment can add enlist* directives to add .xyz
to one or both lists
2. extends PDS_SEO2 regex to catch that spam.
Because that's a "sandbox" rule in the sandbox of Paul Stead, it is
prudent and courteous to get his input on this. I hope he is still
reading this list.
I checked quickly before proceeding with this. He hasn't committed
anything to his sandbox in four years, including bugfixes, so I
assumed he wasn't still actively maintaining his sandbox.
Seems reasonable. I had not noticed how long it had been.
I'll be happy to back out those changes if consensus is they aren't
reasonable.
I expect there's likely more of a consensus around keeping them.
--
Bill Cole
[email protected] or [email protected]
(AKA @[email protected] and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
