On Mon, 24 Apr 2017, Alex wrote:
Hi,
Hi, this rule hit a citibank.com email. Adding 1.8 points simply for
the phrase "your account security" does not seem reasonable.
Apr 24 20:13:18.660 [28524] dbg: rules: ran body rule TVD_PH_SEC
======> got hit: "your account security"
What *else* hit? What was the final total score?
It also hit a secondary RBL for an IP that it shouldn't have, as well
as bayes00 and hostkarma_bl, totaling 5.044, making it spam. The IP
that was hit was 52.40.63.1, mta1b3.c1-t.msyscloud.com.
I would have included that initially, but I figured any one phrase
shouldn't be enough to add more than 50% of the points with one
rule...
50% of 5 points (the default "spam" score) is 2.5 points. This rule meets
your expectation.
In the last hour while going through other quarantined emails, I've
discovered a few others:
* 1.5 SUBJ_ALL_CAPS Subject is all capitals
This one was from an email with an account number in the subject.
Apr 24 20:40:33.583 [7613] dbg: rules: ran body rule LOW_PRICE ======>
got hit: "Lowest Price"
This added 1.5 points to an email discussing reservation pricing,
making it spam.
That along with everything else made it spam.
I'm not trying to be difficult, but: what score *should* phishy/spammy
phrases be limited to?
Apr 24 21:06:31.842 [17649] dbg: rules: ran body rule FUZZY_XPILL
======> got hit: "х файлах"
This added 2.8 points to a legitimate email in Russian. Apparently
that resembles "xanax"
That probably justifies an exclusion in that rule.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
An operating system design that requires a system reboot in order to
install a document viewing utility does not earn my respect.
-----------------------------------------------------------------------
25 days since the first commercial re-flight of an orbital booster (SpaceX)