You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jo Rhett <jr...@netconsonance.com> on 2006/10/16 22:10:42 UTC
false positive on citibank e-mail
Included below is a legitimate e-mail on a legitimate payment that I did
make.
I've looked at the rule, and I can't figure out why it failed.
-------- Original Message --------
Return-Path: <ci...@cardsemail.citibank.com>
Received: from triceratops.lizardarts.com ([unix socket]) by
triceratops.lizardarts.com (Cyrus v2.3.7) with LMTPA; Mon, 16 Oct 2006
12:28:46 -0700
X-Sieve: CMU Sieve 2.3
X-Virus-Scanned: amavisd-new at netconsonance.com
X-Spam-Flag: YES
X-Spam-Score: 4.012
X-Spam-Level: ****
X-Spam-Status: Yes, score=4.012 tagged_above=-999 required=4
tests=[AWL=-4.520, DNS_FROM_RFC_ABUSE=0.479, FROM_EXCESS_BASE64=1.052,
HTML_MESSAGE=0.001, NO_RECEIVED=2, NO_RELAYS=1, SARE_FORGED_CITI=4,
SUBJECT_EXCESS_BASE64=0]
Received: from bigfootinteractive.com (arm184.bigfootinteractive.com
[206.132.3.184]) by triceratops.lizardarts.com (8.13.8/8.13.8) with SMTP
id k9GJSgjH051843 for <jr...@lizardarts.com>; Mon, 16 Oct 2006 12:28:43
-0700 (PDT) (envelope-from citicards@cardsemail.citibank.com)
Reply-To: citicards.T9TH054F119A6D9697126D82D3CB60@info.citibank.com
Bounces_to: citicards@cardsemail.citibank.com
Message-ID:
<T9...@info.citibank.com>
X-BFI: T9TH054F119A6D9697126D82D3CB60
Date: Mon, 16 Oct 2006 15:26:53 EDT
From: Citi Cards <ci...@info.citibank.com>
Subject: Your online activity confirmation
To: jrhett@lizardarts.com
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="ABCD-T9TH054F119A6D9697126D82D3CB60-EFGH"
<http://info.citibank.com/>
*Email Security Zone
<http://info.citibank.com/>: JO RHETT*
For your account ending in *SNIP*
Add citicards@info.citibank.com to your address book to ensure delivery.
Dear JO RHETT,
This email confirms the following action(s) completed at Account Online
for your Citi Cards account ending in *SNIP*.
See detail(s) below:
# *Click-to-Pay Payment Confirmation:*
An online payment in the amount of $1,487.11 is scheduled to post
to your Citi card account on October 13, 2006. The payment will be made
by electronic transfer from your designated bank account. Please
keep the following confirmation number for your records: 122144156497088.
/Note: If you performed multiple activities at Account Online within
the past 48 hours you may receive confirmations separately./
We appreciate the opportunity to serve you. Quality service and your
security is top of mind at Citi. If any of the above information is
inaccurate, please contact us immediately at 800-347-4934.
Visit us anytime at www.citicards.com
<http://info.citibank.com/> to review
your recent account activity or update your account information.
------------------------------------------------------------------------
Privacy <http://info.citibank.com/> |
Security <http://info.citibank.com/>
_Email Preferences_
Your Citi Cards is issued by Citibank (South Dakota), N.A.. If you'd
like to refine the types of email messages you receive, or if you'd
prefer to stop receiving email from us, please go to:
http://www.email.citicards.com
<http://info.citibank.com/>
_Help / Contact Us_
If you have questions about your account, please use our secure message
center by signing on at www.citicards.com
<http://info.citibank.com/> and choosing
"Contact Us" from the "Help / Contact Us" menu. You can also call the
customer service phone number on the back of your card.
© 2006 Citibank (South Dakota), N.A.
All rights reserved.
Citi, Citibank, Citi with Arc Design, and Live richly are registered
service marks of Citigroup Inc.
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
--
Jo Rhett
Network/Software Engineer
Net Consonance
Re: false positive on citibank e-mail
Posted by Jo Rhett <jr...@netconsonance.com>.
Nice insult. Can we stick to fixing real problems, please?
jdow wrote:
> You're the twit who reduced the required score. Fix it.
> {^_^}
> ----- Original Message ----- From: "Jo Rhett" <jr...@netconsonance.com>
>
>
>> Included below is a legitimate e-mail on a legitimate payment that I
>> did make.
>>
>> I've looked at the rule, and I can't figure out why it failed.
>>
>> -------- Original Message --------
>> Return-Path: <ci...@cardsemail.citibank.com>
>> Received: from triceratops.lizardarts.com ([unix socket]) by
>> triceratops.lizardarts.com (Cyrus v2.3.7) with LMTPA; Mon, 16 Oct 2006
>> 12:28:46 -0700
>> X-Sieve: CMU Sieve 2.3
>> X-Virus-Scanned: amavisd-new at netconsonance.com
>> X-Spam-Flag: YES
>> X-Spam-Score: 4.012
>> X-Spam-Level: ****
>> X-Spam-Status: Yes, score=4.012 tagged_above=-999 required=4
>> tests=[AWL=-4.520, DNS_FROM_RFC_ABUSE=0.479, FROM_EXCESS_BASE64=1.052,
>> HTML_MESSAGE=0.001, NO_RECEIVED=2, NO_RELAYS=1, SARE_FORGED_CITI=4,
>> SUBJECT_EXCESS_BASE64=0]
>> Received: from bigfootinteractive.com (arm184.bigfootinteractive.com
>> [206.132.3.184]) by triceratops.lizardarts.com (8.13.8/8.13.8) with SMTP
>> id k9GJSgjH051843 for <jr...@lizardarts.com>; Mon, 16 Oct 2006 12:28:43
>> -0700 (PDT) (envelope-from citicards@cardsemail.citibank.com)
>> Reply-To: citicards.T9TH054F119A6D9697126D82D3CB60@info.citibank.com
>> Bounces_to: citicards@cardsemail.citibank.com
>> Message-ID:
>> <T9...@info.citibank.com>
>>
>> X-BFI: T9TH054F119A6D9697126D82D3CB60
>> Date: Mon, 16 Oct 2006 15:26:53 EDT
>> From: Citi Cards <ci...@info.citibank.com>
>> Subject: Your online activity confirmation
>> To: jrhett@lizardarts.com
>> MIME-Version: 1.0
>> Content-Type: multipart/alternative;
>> boundary="ABCD-T9TH054F119A6D9697126D82D3CB60-EFGH"
>>
>>
>>
>> <http://info.citibank.com/> *Email Security Zone
>> <http://info.citibank.com/>: JO RHETT*
>> For your account ending in *SNIP*
>>
>> Add citicards@info.citibank.com to your address book to ensure delivery.
>>
>>
>> Dear JO RHETT,
>>
>> This email confirms the following action(s) completed at Account
>> Online for your Citi Cards account ending in *SNIP*.
>> See detail(s) below:
>>
>> # *Click-to-Pay Payment Confirmation:*
>> An online payment in the amount of $1,487.11 is scheduled to post
>> to your Citi card account on October 13, 2006. The payment will be made
>> by electronic transfer from your designated bank account. Please
>> keep the following confirmation number for your records: 122144156497088.
>>
>> /Note: If you performed multiple activities at Account Online within
>> the past 48 hours you may receive confirmations separately./
>>
>> We appreciate the opportunity to serve you. Quality service and your
>> security is top of mind at Citi. If any of the above information is
>> inaccurate, please contact us immediately at 800-347-4934.
>>
>> Visit us anytime at www.citicards.com
>> <http://info.citibank.com/> to review
>> your recent account activity or update your account information.
>>
>> ------------------------------------------------------------------------
>> Privacy <http://info.citibank.com/> |
>> Security <http://info.citibank.com/>
>> _Email Preferences_
>> Your Citi Cards is issued by Citibank (South Dakota), N.A.. If you'd
>> like to refine the types of email messages you receive, or if you'd
>> prefer to stop receiving email from us, please go to:
>> http://www.email.citicards.com
>> <http://info.citibank.com/>
>>
>> _Help / Contact Us_
>> If you have questions about your account, please use our secure message
>> center by signing on at www.citicards.com
>> <http://info.citibank.com/> and choosing
>> "Contact Us" from the "Help / Contact Us" menu. You can also call the
>> customer service phone number on the back of your card.
>>
>> © 2006 Citibank (South Dakota), N.A.
>> All rights reserved.
>> Citi, Citibank, Citi with Arc Design, and Live richly are registered
>> service marks of Citigroup Inc.
>>
>> Citibank Customer Service
>> P. O. Box 6500
>> Sioux Falls, SD 57117
>>
>> --
>> Jo Rhett
>> Network/Software Engineer
>> Net Consonance
>
--
Jo Rhett
Network/Software Engineer
Net Consonance
RE: Bayes doesn't seem to be running
Posted by Gary V <mr...@hotmail.com>.
>I have SA configuered to run via amavis-new
>
>Regular rbl and other checks do work
>
>But bayes doesn't seem to be running.
>
>I am not even sure where to go look to find information about what checks
>are being run to try and track down the problem
>
>Any hints?
>
>
>Thomas Lindell
>System Admin
>Airbornedatalink.com
>
If you recently installed it, Bayes must learn at least 200 ham and 200 ham
before Bayes is used. You can stop amavisd and run it in debug-sa mode to
see some spamassassin debugging. After you stop debug mode, you will need to
start amavisd again. If you have amavisd-new specific questions, they should
be directed to the amavis users mailing list.
Example of a recent install:
[3324] dbg: bayes: found bayes db version 3
[3324] dbg: bayes: Using userid: 2
[3324] dbg: bayes: not available for scanning, only 1 spam(s) in bayes DB <
200
Gary V
_________________________________________________________________
Stay in touch with old friends and meet new ones with Windows Live Spaces
http://clk.atdmt.com/MSN/go/msnnkwsp0070000001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
Bayes doesn't seem to be running
Posted by Thomas Lindell <tl...@adlmail.com>.
I have SA configuered to run via amavis-new
Regular rbl and other checks do work
But bayes doesn't seem to be running.
I am not even sure where to go look to find information about what checks
are being run to try and track down the problem
Any hints?
Thomas Lindell
System Admin
Airbornedatalink.com
Re: false positive on citibank e-mail
Posted by jdow <jd...@earthlink.net>.
You're the twit who reduced the required score. Fix it.
{^_^}
----- Original Message -----
From: "Jo Rhett" <jr...@netconsonance.com>
> Included below is a legitimate e-mail on a legitimate payment that I did make.
>
> I've looked at the rule, and I can't figure out why it failed.
>
> -------- Original Message --------
> Return-Path: <ci...@cardsemail.citibank.com>
> Received: from triceratops.lizardarts.com ([unix socket]) by
> triceratops.lizardarts.com (Cyrus v2.3.7) with LMTPA; Mon, 16 Oct 2006
> 12:28:46 -0700
> X-Sieve: CMU Sieve 2.3
> X-Virus-Scanned: amavisd-new at netconsonance.com
> X-Spam-Flag: YES
> X-Spam-Score: 4.012
> X-Spam-Level: ****
> X-Spam-Status: Yes, score=4.012 tagged_above=-999 required=4
> tests=[AWL=-4.520, DNS_FROM_RFC_ABUSE=0.479, FROM_EXCESS_BASE64=1.052,
> HTML_MESSAGE=0.001, NO_RECEIVED=2, NO_RELAYS=1, SARE_FORGED_CITI=4,
> SUBJECT_EXCESS_BASE64=0]
> Received: from bigfootinteractive.com (arm184.bigfootinteractive.com
> [206.132.3.184]) by triceratops.lizardarts.com (8.13.8/8.13.8) with SMTP
> id k9GJSgjH051843 for <jr...@lizardarts.com>; Mon, 16 Oct 2006 12:28:43
> -0700 (PDT) (envelope-from citicards@cardsemail.citibank.com)
> Reply-To: citicards.T9TH054F119A6D9697126D82D3CB60@info.citibank.com
> Bounces_to: citicards@cardsemail.citibank.com
> Message-ID:
> <T9...@info.citibank.com>
> X-BFI: T9TH054F119A6D9697126D82D3CB60
> Date: Mon, 16 Oct 2006 15:26:53 EDT
> From: Citi Cards <ci...@info.citibank.com>
> Subject: Your online activity confirmation
> To: jrhett@lizardarts.com
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="ABCD-T9TH054F119A6D9697126D82D3CB60-EFGH"
>
>
>
> <http://info.citibank.com/> *Email Security Zone
> <http://info.citibank.com/>: JO RHETT*
> For your account ending in *SNIP*
>
> Add citicards@info.citibank.com to your address book to ensure delivery.
>
>
> Dear JO RHETT,
>
> This email confirms the following action(s) completed at Account Online for your Citi
> Cards account ending in *SNIP*.
> See detail(s) below:
>
> # *Click-to-Pay Payment Confirmation:*
> An online payment in the amount of $1,487.11 is scheduled to post
> to your Citi card account on October 13, 2006. The payment will be made
> by electronic transfer from your designated bank account. Please
> keep the following confirmation number for your records: 122144156497088.
>
> /Note: If you performed multiple activities at Account Online within
> the past 48 hours you may receive confirmations separately./
>
> We appreciate the opportunity to serve you. Quality service and your
> security is top of mind at Citi. If any of the above information is
> inaccurate, please contact us immediately at 800-347-4934.
>
> Visit us anytime at www.citicards.com
> <http://info.citibank.com/> to review
> your recent account activity or update your account information.
>
> ------------------------------------------------------------------------
> Privacy <http://info.citibank.com/> |
> Security <http://info.citibank.com/>
> _Email Preferences_
> Your Citi Cards is issued by Citibank (South Dakota), N.A.. If you'd
> like to refine the types of email messages you receive, or if you'd
> prefer to stop receiving email from us, please go to:
> http://www.email.citicards.com
> <http://info.citibank.com/>
>
> _Help / Contact Us_
> If you have questions about your account, please use our secure message
> center by signing on at www.citicards.com
> <http://info.citibank.com/> and choosing
> "Contact Us" from the "Help / Contact Us" menu. You can also call the
> customer service phone number on the back of your card.
>
> © 2006 Citibank (South Dakota), N.A.
> All rights reserved.
> Citi, Citibank, Citi with Arc Design, and Live richly are registered
> service marks of Citigroup Inc.
>
> Citibank Customer Service
> P. O. Box 6500
> Sioux Falls, SD 57117
>
> --
> Jo Rhett
> Network/Software Engineer
> Net Consonance
Re: false positive on citibank e-mail
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Jo Rhett wrote:
> Daryl C. W. O'Shea wrote:
>>> Is there any part of this rule that might be affected by using
>>> Amavisd or testing via Milter? (I do both)
>>
>> If whatever handled the message for scanning didn't fudge the
>> "Received: from bigfootinteractive.com" header like it should be
>> then this would happen.
>
> Hm. Okay, the NO_RECEIVED and NO_RELAYS rules fired on this as well.
> Theory: perhaps Milter hands the message to Amavisd prior to adding the
> local Received line? That it only adds that header once Milter agrees?
Sendmail milters won't see the received header added by that relay (I
don't know about other MTA milter-like interfaces but I suspect that
they're the same). Amavisd should be fudging a header for you. The
NO_RECEIVED and NO_RELAYS hits confirm that it is not.
> I assume that we can check the current remote address in some form, yes?
> If I can figure this out, I'll provide an updated rule. If you know
> how to do this, clue me in.
Assuming you mean remote address of the machine sending the message,
sure if it's in the received header that *must* be provided to SA by
whatever passes it the message to scan.
The X-Spam-Relays-Untrusted pseudo header has all the info you need.
>> I just provide the SARE rules as found on the SARE website (checked
>> every few minutes) via sa-update channels. Beyond that, I have
>> nothing to do with them.
>
> Whoops. Sorry, I confused you and Ted because you responded. Apparently
> these are Ted's rules...
Yeah, I was just concerned with confirming that this is in fact not an
issue with SpamAssassin since it was suggested that SA was at fault. In
this case, it's just a coincidence that I happen to provide the SARE
sa-update channel infrastructure too.
Daryl
Re: false positive on citibank e-mail
Posted by Jo Rhett <jr...@netconsonance.com>.
Daryl C. W. O'Shea wrote:
> Even after doing my best to fix the body wrap mangling of your sample, I
> can't get it to FP. It IS working as it should (ie. not hitting on the
> sample). That's why I asked for a copy sent as an attachment.
Oops, I overlooked that. You should have it by now. identifying info
wasn't removed this time, so play nice :-)
>> Is there any part of this rule that might be affected by using Amavisd
>> or testing via Milter? (I do both)
>
> If whatever handled the message for scanning didn't fudge the "Received:
> from bigfootinteractive.com" header like it should be then this
> would happen.
Hm. Okay, the NO_RECEIVED and NO_RELAYS rules fired on this as well.
Theory: perhaps Milter hands the message to Amavisd prior to adding the
local Received line? That it only adds that header once Milter agrees?
I assume that we can check the current remote address in some form, yes?
If I can figure this out, I'll provide an updated rule. If you know
how to do this, clue me in.
> I just provide the SARE rules as found on the SARE website (checked
> every few minutes) via sa-update channels. Beyond that, I have nothing
> to do with them.
Whoops. Sorry, I confused you and Ted because you responded.
Apparently these are Ted's rules...
--
Jo Rhett
Network/Software Engineer
Net Consonance
Re: false positive on citibank e-mail
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Jo Rhett wrote:
> Daryl C. W. O'Shea wrote:
>> Jo Rhett wrote:
>>> Included below is a legitimate e-mail on a legitimate payment that I
>>> did make.
>>>
>>> I've looked at the rule, and I can't figure out why it failed.
>>
>> After unwrapping the mail included in your message body, I can't
>> reproduce this under SA 3.1.8-r454679 using the ruleset
>> 70_sare_spoof_cf_sare_sa-update_dostech_net/200607251600.cf.
>>
>> If you can provide a copy that triggers this in an attachment I'll
>> take another look.
>
> Yeah, I was eyeballing it but couldn't figure it out either. Very odd.
Even after doing my best to fix the body wrap mangling of your sample, I
can't get it to FP. It IS working as it should (ie. not hitting on the
sample). That's why I asked for a copy sent as an attachment.
Can you not reproduce it, using just 'spamassassin', either?
> Is there any part of this rule that might be affected by using Amavisd
> or testing via Milter? (I do both)
If whatever handled the message for scanning didn't fudge the "Received:
from bigfootinteractive.com" header like it should be then this
would happen.
> Unrelated, but might I suggest for readability that next time you do an
> update, change CHASE_B to BIGFOOT or something?
Of course you can. Although, since I didn't write the rules, or even
know who did, you'll have to track them down to make that suggestion. :)
I just provide the SARE rules as found on the SARE website (checked
every few minutes) via sa-update channels. Beyond that, I have nothing
to do with them.
Daryl
Re: false positive on citibank e-mail
Posted by Jo Rhett <jr...@netconsonance.com>.
Daryl C. W. O'Shea wrote:
> Jo Rhett wrote:
>> Included below is a legitimate e-mail on a legitimate payment that I
>> did make.
>>
>> I've looked at the rule, and I can't figure out why it failed.
>
> After unwrapping the mail included in your message body, I can't
> reproduce this under SA 3.1.8-r454679 using the ruleset
> 70_sare_spoof_cf_sare_sa-update_dostech_net/200607251600.cf.
>
> If you can provide a copy that triggers this in an attachment I'll take
> another look.
Yeah, I was eyeballing it but couldn't figure it out either. Very odd.
Is there any part of this rule that might be affected by using Amavisd
or testing via Milter? (I do both)
Unrelated, but might I suggest for readability that next time you do an
update, change CHASE_B to BIGFOOT or something?
--
Jo Rhett
Network/Software Engineer
Net Consonance
Re: false positive on citibank e-mail
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
Jo Rhett wrote:
> Included below is a legitimate e-mail on a legitimate payment that I did
> make.
>
> I've looked at the rule, and I can't figure out why it failed.
After unwrapping the mail included in your message body, I can't
reproduce this under SA 3.1.8-r454679 using the ruleset
70_sare_spoof_cf_sare_sa-update_dostech_net/200607251600.cf.
If you can provide a copy that triggers this in an attachment I'll take
another look.
Daryl
Re: false positive on citibank e-mail
Posted by Jo Rhett <jr...@netconsonance.com>.
Ramprasad wrote:
> Thats the bane of antispam. If there were no FP's spammers would lose
> their jobs. ( So will we techies managing antispam :-) )
I've heard that nonsense (losing jobs to problems disappearing) so many
times over the years, and it has *never* happened. There's always more
technical things to do.
Just think how much progress in software development would occur if none
of us had to work on anti-spam solutions? I mean seriously, spam is 20%
of my job on a Good Day.
> Whitelisting citibank is just too dangerous anyone can forge
> use
> def_whitelist_from_spf *@*.citibank.com
What? Who is talking about whitelist?
--
Jo Rhett
Network/Software Engineer
Net Consonance
Re: false positive on citibank e-mail
Posted by Ramprasad <ra...@netcore.co.in>.
Thats the bane of antispam. If there were no FP's spammers would lose
their jobs. ( So will we techies managing antispam :-) )
Whitelisting citibank is just too dangerous anyone can forge
use
def_whitelist_from_spf *@*.citibank.com
Thanks
Ram
RE: false positive on citibank e-mail
Posted by "Coffey, Neal" <nc...@langeveld.com>.
Jo Rhett wrote:
> I'm sorry, apparently I wasn't technical enough. Yes, I can read.
> And
> I already opened up and looked at the rule, and I can't figure out why
> it failed. Please skip the duh answers.
There's enough people on here that need that level of answer, you can't
really blame me for starting there. Rule #1 of troubleshooting -- start
with the simplest explanation, and work your way up.
> And god no, I never use 5 as the tag level. Hell, I run 2.9 on a
> number of my accounts... Don't try to make something that is an
> adjustable user policy into a Don't Change This.
I wasn't. I run 3.5 myself. Just pointing out that the rules are
optimized for 5, and your "false positive" scored 4-ish.
> That's not the RCVD_CITIBNK rule I'm using.
Apologies. I should have made sure I was looking at the most updated
version.
Re: false positive on citibank e-mail
Posted by Jo Rhett <jr...@netconsonance.com>.
Coffey, Neal wrote:
> Well, partly it failed because you set your limit to 4 instead of 5.
> You take a risk of false positives by doing that, since the rulesets are
> optimised with a score of 5 in mind.
> However, the "real" culprit seems to be SARE_FORGED_CITI, which is
> defined thusly:
I'm sorry, apparently I wasn't technical enough. Yes, I can read. And
I already opened up and looked at the rule, and I can't figure out why
it failed. Please skip the duh answers.
And god no, I never use 5 as the tag level. Hell, I run 2.9 on a number
of my accounts... Don't try to make something that is an adjustable
user policy into a Don't Change This.
> -----------------------
> header __RCVD_CITIBNK Received =~
> /(?:citi(?:bank|cards|corp|bankcards)|acxiom|c2it)\.com/i
> header __FROM_CITIBNK From =~ /citi(?:bank)?\.com/i
> uri __URI_CITIBNK /citi(?:bank)?\.com/i
> meta SARE_FORGED_CITI (__FROM_CITIBNK && __URI_CITIBNK &&
> !__RCVD_CITIBNK)
> -----------------------
>
> We see this in your headers from that email...
>
>> Received: from bigfootinteractive.com
> (arm184.bigfootinteractive.com
>> [206.132.3.184]) by triceratops.lizardarts.com (8.13.8/8.13.8)
>
> ...and come to the conclusion that this email does, in fact, have forged
> Citibank headers. In this case, it's a legitimate email, but it's still
> forged. Shame on Citibank.
That's not the RCVD_CITIBNK rule I'm using. I have the latest, which is
200607251600.cf. The latest rule is
meta __RCVD_CITIBNK (__RCVD_CITIBNK_A || __RCVD_CITIBNK_B ||
__RCVD_CHASE_B)
RCVD_CHASE_B (which should probably be renamed RCVD_BIGFOOT) is
header __RCVD_CHASE_B Received =~ /\bbigfootinteractive\.com/i
And thus, the rule should not match. Which is why this confused me.
> My suggestion for working around this? Create a meta rule that negates
> SARE_FORGED_CITI.
No, the real fix is for the rule to work. Don't add breakage to breakage.
--
Jo Rhett
Network/Software Engineer
Net Consonance
RE: false positive on citibank e-mail
Posted by "Coffey, Neal" <nc...@langeveld.com>.
Jo Rhett wrote:
> Included below is a legitimate e-mail on a legitimate payment that I
> did make.
>
> I've looked at the rule, and I can't figure out why it failed.
>
Well, partly it failed because you set your limit to 4 instead of 5.
You take a risk of false positives by doing that, since the rulesets are
optimised with a score of 5 in mind.
However, the "real" culprit seems to be SARE_FORGED_CITI, which is
defined thusly:
-----------------------
header __RCVD_CITIBNK Received =~
/(?:citi(?:bank|cards|corp|bankcards)|acxiom|c2it)\.com/i
header __FROM_CITIBNK From =~ /citi(?:bank)?\.com/i
uri __URI_CITIBNK /citi(?:bank)?\.com/i
meta SARE_FORGED_CITI (__FROM_CITIBNK && __URI_CITIBNK &&
!__RCVD_CITIBNK)
-----------------------
We see this in your headers from that email...
> Received: from bigfootinteractive.com
(arm184.bigfootinteractive.com
> [206.132.3.184]) by triceratops.lizardarts.com (8.13.8/8.13.8)
...and come to the conclusion that this email does, in fact, have forged
Citibank headers. In this case, it's a legitimate email, but it's still
forged. Shame on Citibank.
My suggestion for working around this? Create a meta rule that negates
SARE_FORGED_CITI.
header __FROM_CITI_BFI Received =~ /bigfootinteractive\.com/I
meta CITI_FROM_BFI (SARE_FORGED_CITI && __FROM_CITI_BFI)
score CITI_FROM_BFI -4.0
describe CITI_FROM_BFI CitiBank tells BFI to forge their headers
(Side note: Times I mistyped "BFI" as "BIF" -- about 10)
You could probably also rewrite SARE_FORGED_CITI, but that might break
if the author of the SARE ruleset changes it behind the scenes in a
later release.