You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jared Hall <ja...@jaredsec.com> on 2021/09/23 20:24:38 UTC
FSL_BULK_SIG in 72_active.cf
Got a remote sender sending some pictures of property damage to be
fixed. It's all images. The only text is:
Sent from Yahoo Mail for iPhone <https://overview.mail.yahoo.com/?.src=iOS>
It hits Pyzor for some reason. Get a PYZOR_CHECK=1.985. Must've picked
the wrong checksum, chief!
However, his messages also hit: FSL_BULK_SIG=2.623. That's a meta in
72_active.cf that looks ilke this:
meta FSL_BULK_SIG (DCC_CHECK || RAZOR2_CHECK ||
PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK &&
!__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP_MESSY
DCC_CHECK = 0
RAZOR2_CHECK = 0
PYZOR_CHECK = 1
__FSL_HAS_LIST_UNSUB = 0
__UNSUB_LINK = 0
__RCVD_IN_DNSWL = 0
__JM_REACTOR_DATE = 0
__RCD_RDNS_SMTP_MESSY = 0
It does not appear that the actual rule matches the spirit of the rule.
Thoughts?
-- Jared Hall
Re: FSL_BULK_SIG in 72_active.cf
Posted by "Kevin A. McGrail" <km...@apache.org>.
I don't think it's reasonable but an FP in Pyzor is leading to other
rule hits.
Was the overall email marked as spam?
On 9/24/2021 12:21 AM, Jared Hall wrote:
> On 9/23/2021 10:07 PM, Kevin A. McGrail wrote:
>> Jared, looks to me like an FP in Pyzor.
>>
> No doubt. The 4.608 points for a single aberration seems reasonable.
>
> -- Jared Hall
>
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: FSL_BULK_SIG in 72_active.cf
Posted by Jared Hall <ja...@jaredsec.com>.
On 9/23/2021 10:07 PM, Kevin A. McGrail wrote:
> Jared, looks to me like an FP in Pyzor.
>
No doubt. The 4.608 points for a single aberration seems reasonable.
-- Jared Hall
Re: FSL_BULK_SIG in 72_active.cf
Posted by John Hardin <jh...@impsec.org>.
On Tue, 5 Oct 2021, Matus UHLAR - fantomas wrote:
>>>>>>> It hits Pyzor for some reason. Get a PYZOR_CHECK=1.985. Must've
>>>>>>> picked the wrong checksum, chief!
>>>>>>>
>>>>>>> It does not appear that the actual rule matches the spirit of the
>>>>>>> rule.
>
>>>>> On 23.09.21 22:07, Kevin A. McGrail wrote:
>>>>>> Jared, looks to me like an FP in Pyzor.
>
>>>> On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>>>> RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
>>>>> attachments. (Haven't done stats tho, I can look during workweek.)
>>>>>
>>>>> Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
>>>>> unsubscribe header.
>
>>> On 25.09.21 13:19, John Hardin wrote:
>>>> Perhaps it needs a short-message exclusion?
>
>> On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>> short messages with attachments. if you have an idea how, I'll be glad to
>>> try.
>
> On 25.09.21 15:04, John Hardin wrote:
>> I've done some masscheck review and tuning of it, added avoidance of hits
>> on very short messages.
>
> I'm afraid it did not help.
> It seems that PYZOR_CHECK and DCC_CHECK hit on such mail often and
> FSL_BULK_SIG pushes such mail easily over default spam score.
>
> I just analyze a few samples, a few also hit GMD_PDF_EMPTY_BODY with sa -D,
> many of them hit __HTML_LENGTH_1024_1536
> (damn microsoft! 1k of "empty" message).
>
> OK, I will work around locally.
I noticed the PDF attachment hit in masschecks, but presumed (since the
attachments were images) that it wasn't germane to the OP's problem. I
should have added an exclusion for that as well. I will later today,
work is booting up... :)
I'd be interested in the rule hits if you're willing to share.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
493 days since the first private commercial manned orbital mission (SpaceX)
Re: FSL_BULK_SIG in 72_active.cf
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>>>>>> It hits Pyzor for some reason. Get a PYZOR_CHECK=1.985.
>>>>>>Must've picked the wrong checksum, chief!
>>>>>>
>>>>>>It does not appear that the actual rule matches the spirit of the rule.
>>>>On 23.09.21 22:07, Kevin A. McGrail wrote:
>>>>>Jared, looks to me like an FP in Pyzor.
>>>On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>>>RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
>>>>attachments. (Haven't done stats tho, I can look during workweek.)
>>>>
>>>>Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
>>>>unsubscribe header.
>>On 25.09.21 13:19, John Hardin wrote:
>>>Perhaps it needs a short-message exclusion?
>On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>short messages with attachments. if you have an idea how, I'll be
>>glad to try.
On 25.09.21 15:04, John Hardin wrote:
>I've done some masscheck review and tuning of it, added avoidance of
>hits on very short messages.
I'm afraid it did not help.
It seems that PYZOR_CHECK and DCC_CHECK hit on such mail often and
FSL_BULK_SIG pushes such mail easily over default spam score.
I just analyze a few samples, a few also hit GMD_PDF_EMPTY_BODY
with sa -D, many of them hit __HTML_LENGTH_1024_1536
(damn microsoft! 1k of "empty" message).
OK, I will work around locally.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
Re: FSL_BULK_SIG in 72_active.cf
Posted by John Hardin <jh...@impsec.org>.
On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>>>> It hits Pyzor for some reason. Get a PYZOR_CHECK=1.985. Must've picked
>>>>> the wrong checksum, chief!
>>>>>
>>>>> It does not appear that the actual rule matches the spirit of the rule.
>
>>> On 23.09.21 22:07, Kevin A. McGrail wrote:
>>>> Jared, looks to me like an FP in Pyzor.
>
>> On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>> RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
>>> attachments. (Haven't done stats tho, I can look during workweek.)
>>>
>>> Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
>>> unsubscribe header.
>
> On 25.09.21 13:19, John Hardin wrote:
>> Perhaps it needs a short-message exclusion?
>
> short messages with attachments. if you have an idea how, I'll be glad to
> try.
I've done some masscheck review and tuning of it, added avoidance of hits
on very short messages.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
But if there is no such inalienable right [to self defense], the
entire nature of the social contract is changed. Each man’s worth
is measured solely by his utility to the state, and as such the
value of his life rides a roller coaster not unlike the stock
market: dependent not only upon the preferences of the party in
power but upon the whims of its political leaders and the
permanent bureaucratic class. -- Mike McDaniel
-----------------------------------------------------------------------
4 days until the 80th anniversary of the massacre at Babi Yar
Disarmament enables genocide - Registration enables disarmament
Re: FSL_BULK_SIG in 72_active.cf
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>>>> It hits Pyzor for some reason. Get a PYZOR_CHECK=1.985.
>>>>Must've picked the wrong checksum, chief!
>>>>
>>>>It does not appear that the actual rule matches the spirit of the rule.
>>On 23.09.21 22:07, Kevin A. McGrail wrote:
>>>Jared, looks to me like an FP in Pyzor.
>On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
>>attachments. (Haven't done stats tho, I can look during workweek.)
>>
>>Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
>>unsubscribe header.
On 25.09.21 13:19, John Hardin wrote:
>Perhaps it needs a short-message exclusion?
short messages with attachments.
if you have an idea how, I'll be glad to try.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: FSL_BULK_SIG in 72_active.cf
Posted by John Hardin <jh...@impsec.org>.
On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>> It hits Pyzor for some reason. Get a PYZOR_CHECK=1.985. Must've picked
>>> the wrong checksum, chief!
>>>
>>> It does not appear that the actual rule matches the spirit of the rule.
>
> On 23.09.21 22:07, Kevin A. McGrail wrote:
>> Jared, looks to me like an FP in Pyzor.
>
> RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
> attachments. (Haven't done stats tho, I can look during workweek.)
>
> Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
> unsubscribe header.
Perhaps it needs a short-message exclusion?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control laws aren't enacted to control guns, they are enacted
to control people: catholics (1500s), japanese peasants (1600s),
blacks (1860s), italian immigrants (1911), armenians (1911),
the irish (1920s), jews (1930s), blacks (1960s), the poor (always)
-----------------------------------------------------------------------
4 days until the 80th anniversary of the massacre at Babi Yar
Disarmament enables genocide - Registration enables disarmament
Re: FSL_BULK_SIG in 72_active.cf
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>> It hits Pyzor for some reason. Get a PYZOR_CHECK=1.985. Must've
>>picked the wrong checksum, chief!
>>
>>It does not appear that the actual rule matches the spirit of the rule.
On 23.09.21 22:07, Kevin A. McGrail wrote:
>Jared, looks to me like an FP in Pyzor.
RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
attachments. (Haven't done stats tho, I can look during workweek.)
Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
unsubscribe header.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
Re: FSL_BULK_SIG in 72_active.cf
Posted by "Kevin A. McGrail" <km...@apache.org>.
> It hits Pyzor for some reason. Get a PYZOR_CHECK=1.985. Must've
> picked the wrong checksum, chief!
>
> It does not appear that the actual rule matches the spirit of the rule.
>
Jared, looks to me like an FP in Pyzor.
--
Kevin A. McGrail
KMcGrail@Apache.org
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: FSL_BULK_SIG in 72_active.cf
Posted by Henrik K <he...@hege.li>.
On Thu, Sep 23, 2021 at 04:24:38PM -0400, Jared Hall wrote:
> Got a remote sender sending some pictures of property damage to be fixed. It's
> all images. The only text is:
> Sent from Yahoo Mail for iPhone
>
> It hits Pyzor for some reason. Get a PYZOR_CHECK=1.985. Must've picked the
> wrong checksum, chief!
It only cares about the body, and that body has probably been reported
million times.
pyzor local_whitelist < message
pyzor digest < message
https://app.pyzor.org/whitelist/