You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2016/11/21 00:46:21 UTC
.info TLD gives 2.1?
Hi,
Am I reading this rule wrong, or does the presence of a .info domain
enough to warrant a 2.8 score?
* 2.1 URI_NO_WWW_INFO_CGI URI: CGI in .info TLD other than third-level "www"
<https://clientservices.ogletreedeakins.info/rs/vm.ashx?ct=3D24F76A1AD5E20A=
EDC1D180ACD125901ADFBE7BB3D38714D4CF371647BF8D90DDD78032>*
uri URI_NO_WWW_INFO_CGI
/^(?:https?:\/\/)?[^\/]+(?<!\/www)\.[^.]{7,}\.info\/(?=\S{15,})\S*\?/i
This particular email was scored at 5.30, and wouldn't have hit if it
didn't also hit SORBS, but such a score seemed quite high for just the
presence of a type of TLD.
Re: .info TLD gives 2.1?
Posted by Kevin Golding <kp...@caomhin.org>.
On Mon, 21 Nov 2016 19:00:59 -0000, Alex <my...@gmail.com> wrote:
> The part I was unsure of was if those 2.1 points were warranted
> because I've only ever seen it in ham. Now I understand that it is.
http://ruleqa.spamassassin.org/ is a very good source for understanding
how rules get the scores they do.
It can also be a good source for deciding if you need to make local
adjustments that better suit your mailflow.
Re: .info TLD gives 2.1?
Posted by Alex <my...@gmail.com>.
Hi,
On Mon, Nov 21, 2016 at 1:07 PM, Bill Cole
<sa...@billmail.scconsult.com> wrote:
> On 21 Nov 2016, at 3:18, Matus UHLAR - fantomas wrote:
>
>> On 20.11.16 19:46, Alex wrote:
>>>
>>> Am I reading this rule wrong, or does the presence of a .info domain
>>> enough to warrant a 2.8 score?
>>>
>>> * 2.1 URI_NO_WWW_INFO_CGI URI: CGI in .info TLD other than third-level
>>> "www"
>>>
>>>
>>> <https://clientservices.ogletreedeakins.info/rs/vm.ashx?ct=3D24F76A1AD5E20A=
>>> EDC1D180ACD125901ADFBE7BB3D38714D4CF371647BF8D90DDD78032>*
>>>
>>> uri URI_NO_WWW_INFO_CGI
>>> /^(?:https?:\/\/)?[^\/]+(?<!\/www)\.[^.]{7,}\.info\/(?=\S{15,})\S*\?/i
>>>
>>> This particular email was scored at 5.30, and wouldn't have hit if it
>>> didn't also hit SORBS, but such a score seemed quite high for just the
>>> presence of a type of TLD.
>>
>>
>> it's not based only on .info tld:
>>
>> 1. TLD .info
>> 2. no 'www'
>> 3. third level domain
>> 4. at least 6 characters 2nd-level domain
>
>
> That's a 7 not a 6 :)
>
> The RE says a bit more, and is maybe clearer using words:
>
> http[s]://<hostname: not 'www'>.<domainname: 7 or more non-dots>.info/<15 or
> more non-whitespace characters including a literal ?>
>
> Note that the trailing '\?' in the RE means a literal '?' indicating that
> the URI has a CGI-style query string. That makes this a very specific URI
> pattern. There's nothing "wrong" with such a URI except for the fact that
> objectively the frequency of that uncommon pattern is much higher in spam
> than non-spam.
>
> I *suspect* that the pattern could be tightened a bit to reduce false
> positives without missing the spam that hits this rule, but I don't have any
> data to support that.
Thank you all for your explanations. I understood that it also
involved a CGI-style query string, but just didn't mention it.
If it would help, I have a handful of other non-spam URIs that hit
this rule, if it would help tighten it up a bit.
The part I was unsure of was if those 2.1 points were warranted
because I've only ever seen it in ham. Now I understand that it is.
Re: .info TLD gives 2.1?
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 21 Nov 2016, at 3:18, Matus UHLAR - fantomas wrote:
> On 20.11.16 19:46, Alex wrote:
>> Am I reading this rule wrong, or does the presence of a .info domain
>> enough to warrant a 2.8 score?
>>
>> * 2.1 URI_NO_WWW_INFO_CGI URI: CGI in .info TLD other than
>> third-level "www"
>>
>> <https://clientservices.ogletreedeakins.info/rs/vm.ashx?ct=3D24F76A1AD5E20A=
>> EDC1D180ACD125901ADFBE7BB3D38714D4CF371647BF8D90DDD78032>*
>>
>> uri URI_NO_WWW_INFO_CGI
>> /^(?:https?:\/\/)?[^\/]+(?<!\/www)\.[^.]{7,}\.info\/(?=\S{15,})\S*\?/i
>>
>> This particular email was scored at 5.30, and wouldn't have hit if it
>> didn't also hit SORBS, but such a score seemed quite high for just
>> the
>> presence of a type of TLD.
>
> it's not based only on .info tld:
>
> 1. TLD .info
> 2. no 'www'
> 3. third level domain
> 4. at least 6 characters 2nd-level domain
That's a 7 not a 6 :)
The RE says a bit more, and is maybe clearer using words:
http[s]://<hostname: not 'www'>.<domainname: 7 or more
non-dots>.info/<15 or more non-whitespace characters including a literal
?>
Note that the trailing '\?' in the RE means a literal '?' indicating
that the URI has a CGI-style query string. That makes this a very
specific URI pattern. There's nothing "wrong" with such a URI except for
the fact that objectively the frequency of that uncommon pattern is much
higher in spam than non-spam.
I *suspect* that the pattern could be tightened a bit to reduce false
positives without missing the spam that hits this rule, but I don't have
any data to support that.
Re: .info TLD gives 2.1?
Posted by John Hardin <jh...@impsec.org>.
On Mon, 21 Nov 2016, Matus UHLAR - fantomas wrote:
> On 20.11.16 19:46, Alex wrote:
>> Am I reading this rule wrong, or does the presence of a .info domain
>> enough to warrant a 2.8 score?
>>
>> * 2.1 URI_NO_WWW_INFO_CGI URI: CGI in .info TLD other than third-level
>> "www"
>>
>> <https://clientservices.ogletreedeakins.info/rs/vm.ashx?ct=3D24F76A1AD5E20A=
>> EDC1D180ACD125901ADFBE7BB3D38714D4CF371647BF8D90DDD78032>*
>>
>> uri URI_NO_WWW_INFO_CGI
>> /^(?:https?:\/\/)?[^\/]+(?<!\/www)\.[^.]{7,}\.info\/(?=\S{15,})\S*\?/i
>>
>> This particular email was scored at 5.30, and wouldn't have hit if it
>> didn't also hit SORBS, but such a score seemed quite high for just the
>> presence of a type of TLD.
>
> it's not based only on .info tld:
>
> 1. TLD .info
> 2. no 'www'
> 3. third level domain
> 4. at least 6 characters 2nd-level domain
5. CGI script parameters.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Re: .info TLD gives 2.1?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 20.11.16 19:46, Alex wrote:
>Am I reading this rule wrong, or does the presence of a .info domain
>enough to warrant a 2.8 score?
>
> * 2.1 URI_NO_WWW_INFO_CGI URI: CGI in .info TLD other than third-level "www"
>
><https://clientservices.ogletreedeakins.info/rs/vm.ashx?ct=3D24F76A1AD5E20A=
>EDC1D180ACD125901ADFBE7BB3D38714D4CF371647BF8D90DDD78032>*
>
>uri URI_NO_WWW_INFO_CGI
>/^(?:https?:\/\/)?[^\/]+(?<!\/www)\.[^.]{7,}\.info\/(?=\S{15,})\S*\?/i
>
>This particular email was scored at 5.30, and wouldn't have hit if it
>didn't also hit SORBS, but such a score seemed quite high for just the
>presence of a type of TLD.
it's not based only on .info tld:
1. TLD .info
2. no 'www'
3. third level domain
4. at least 6 characters 2nd-level domain
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.