Hi, On Fri, Feb 24, 2017 at 1:24 PM, Dianne Skoll <d...@roaringpenguin.com> wrote: > On Fri, 24 Feb 2017 18:07:50 +0000 > RW <rwmailli...@googlemail.com> wrote: > >> > OK. Any FPs, though? That's the other half of the test. > >> No, but it's pretty unlikely there would be. > > Actually, it's very likely there will be a lot of FPs, but it's also > very likely that any given user of the list won't see them. That's > because when someone's email address gets compromised and then the > system administrator clears it up, the only recipients to suffer > false-positives are those with whom the sender would normally > correspond. > > We have seen a few of these cases happen.
We've actually had false-positives due to how the list is built into rules. In other words, "i...@ca.com" is still on the list from 2011. They're also not bounded by default, so noi...@ca.com and morei...@ca.com would also be caught, for example. >> It seems like a lot of hassle for little benefit. > > The APER doesn't catch all that much, nor do the known-phishing URLs catch > much, but every little bit helps. How do you build the phishing URLs list into rules similar to how the addresses2spamassassin.pl does for the phishing emails? > As a data point, one of our installations scanned 4 million messages > yesterday. Of those, only 262 hit our known-phishing URL list (which > uses APER and additional sources) and 155 hit APER's known-phishing > email address list. > > But maybe those few hundred were really worth stopping because they > prevented phishing attacks. Who knows? The phishing_emails file builds almost 1100 meta rules. Is there a point where it's too many and affects processing? I mean, of course there's a point, but does 1100 plus all others approach that on any reasonable system?
