Re: Returned mail: see the transcript [FAILED(1)]

["Kevin A. McGrail" <KM...@PCCC.com>]

Brett,

Bringing this to the dev list for SA as well.  My reaction is that I 
checked and those two tab rules haven't hit on my servers in over 60 
days so it doesn't warrant much of a score.

I recommend you consider locally scoring these two rules lower such as 
0.5 in the meantime.

Henrik, I'm adding a score 0.5 to your TAB_IN_FROM rule. I believe that 
will limit it to that score as the highest possibility during mass checks.

Karsten, same thing for your KB_DATE_CONTAINS_TAB.

However, perhaps we want to add another meta such as the mailing list 
portion of the existing rules?

Regards,
KAM

NOTE: Sample removed in case of privacy concerns.

On 12/9/2012 7:37 PM, Brett Porter wrote:
> A further reply from the author, and a small number of other posts in our mail-archives, seems to indicate that the MTA being used (zmailer) was responsible for putting the tabs in those two fields.
>
> - Brett
>
> On 08/12/2012, at 8:00 AM, Kevin A. McGrail <KM...@PCCC.com> wrote:
>
>> I had to look up the rule TAB_IN_FROM because I've never seen it.  This is very odd with these Tabs in the headers for From and Date apparently.  Checking logs and I have no hits on this rule.
>>
>> The User-Agent is a bit confusing. Is this some sort of web-based mail client form or something the person is using to try and subscribe?
>>
>> Regards,
>> KAM
>>
>> On 12/6/2012 10:17 PM, Brett Porter wrote:
>>> It seems this user's client triggered a spam score due to tabs:
>>>
>>> Date:	Fri, 07 Dec 2012 01:11:33 +0000
>>> From:	Darryl Miles <da...@netbauds.net>
>>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121016 Firefox/16.0 SeaMonkey/2.13.1
>>> MIME-Version: 1.0
>>>
>>> I wasn't sure what to suggest other than using a different client. Any other suggestions, or is this something we should adjust?
>>>
>>> Thanks,
>>> Brett
>>>
>>

Re: Returned mail: see the transcript [FAILED(1)]

[Karsten Bräckelmann <gu...@rudersport.de>]

On Mon, 2012-12-10 at 09:37 -0500, Kevin A. McGrail wrote:
> I recommend you consider locally scoring these two rules lower such as 
> 0.5 in the meantime.
> 
> Henrik, I'm adding a score 0.5 to your TAB_IN_FROM rule. I believe that 
> will limit it to that score as the highest possibility during mass checks.
> 
> Karsten, same thing for your KB_DATE_CONTAINS_TAB.

Sure, please go ahead.

> However, perhaps we want to add another meta such as the mailing list 
> portion of the existing rules?

Unless these are really worthwhile rules in mass-check, I'd be fine with
dropping them altogether. The Date header one was/is hitting a pretty
distinctive sub-set of spam for me, though it isn't essential for
classification.

On the down-side, these "additional tab in headers" style rules have
been reported to FP on mail passing (read: being rewritten by) certain
ISPs and mailing-list infrastructure.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}