Re[2]: Rule Advice

[Robert Menschel <Ro...@Menschel.net>]

Hello dennis,

Thursday, July 14, 2005, 2:34:42 AM, you wrote:

dsc> Been using SA for quite a while and agree it's working great.

dsc> Is FROM_STARTS_WITH_NUMS appropriately spammy if it's a legal way to
dsc> name a domain?

Yes.
> header FROM_STARTS_WITH_NUMS     From:addr =~ /^\d{6,}\S+\@/i
The email address used in the From header begins with 6 (or more)
digits. it's not hitting on 360SkinCare.com, but on the user part of
the email address (doesn't even look at the domain name).
rules/STATISTICS.* shows that this rule hits spam with an S/O ratio of
0.792 to 0.900 when last measured.

dsc> Is this related to the "suspicious hostname" flags? Or is that  
dsc> related to the use of webmail?

Neither: related to the use of a dynamic/dial-up connection for
sending the email, and the webmail system relaying that connection
information in a Received header.

dsc> If the former, then they're getting
dsc> dinged at least four times for the same issue. If the latter, can I
dsc> improve something with the webmail configuration to avoid this since
dsc> webmail is a very common tool?

You can place the original/dial-up IP address only into the
X-Originating-Ip that you are already using, and not a Received
header. The first Received header should then show the email coming
from your (not dynamic) webmail server instead.

dsc> Anything else causing this email to appear particular spammy when it
dsc> is a pretty generic and legitimate email?

That should be it.

Bob Menschel

Re[2]: Rule Advice

[Robert Menschel <Ro...@Menschel.net>]

Hello dennis,

Friday, July 15, 2005, 10:08:56 PM, you wrote:

dsc> On Jul 15, 2005, at 3:19 PM, Loren Wilton wrote:
dsc> If that username starts with six digits, it hits that rule, as shown
dsc> in Loren's example.

dsc> Ah, here is the From header:
dsc> From: 360° Skin Care <XX...@360SkinCare.com>
dsc> Not 6 digits, but maybe the degree symbol is contributing. I'll advise not
dsc> to start the username with 360°.

dsc> No, you misunderstood again.  The part the rule is hitting on is the "XXXX"
dsc> in the above example line.  Since the rule hit, I'm assuming this wan't
dsc> really "XXXX" in the original mail, but more like "100000001monkeys" or the
dsc> like.

dsc> Nope. It's a four letter name, like FRED. It didn't seem to
dsc> be relevant to include the real full email address. Please let me
dsc> know if you need it.

dsc> This is also why I asked if you were referring to the
dsc> Message-Id header since that is the only address that starts with
dsc> six digits.

dsc> I'm not sure what I keep misunderstanding. Can you elaborate?

Nope.  From these discussions, your email is hitting a rule that
supposedly it should not hit. The code for the rule is very clear
about what and where it should be hitting, and you claim it isn't
there.

The only way we can resolve this is if you send a full, untarnished,
complete and unedited, email which demonstrates this problem, with all
headers, as an attachment, to someone who can do the full diagnostics
on it to figure out what's happening.

I'm willing to be that someone if you want.

Bob Menschel

Re[2]: Rule Advice

[Robert Menschel <Ro...@Menschel.net>]

Hello dennis,

Friday, July 15, 2005, 10:08:56 PM, you wrote:

dsc> Ah, here is the From header:
dsc> From: 360° Skin Care <XX...@360SkinCare.com>
dsc> Not 6 digits, but maybe the degree symbol is contributing. I'll advise not
dsc> to start the username with 360°.

Actually, that header is
> From: =?iso-8859-1?b?MzYwsA==?= Skin Care <XX...@360SkinCare.com>
(where I replace the same username "info" with "xxxx" as you did).

When I run the email you sent me offlist against SA 3.1.0, I get
> X-Spam-Status: No, score=-1.2 required=5.0
> tests=ALL_TRUSTED,RCVD_IN_NJABL_DUL autolearn=ham
> version=3.1.0-pre4-r208823
There's no sign of your FROM_STARTS_WITH_NUMS match there.
The debug clearly shows
> [31168] dbg: eval: all '*From' addrs: XXXX@360SkinCare.com
which is what we expect. No leading digits in the username there.

When I run the same test, the same email, against SA 3.0.3 here, I get
> X-Spam-Status: No, score=3.2 required=5.0
> tests=AWL,FROM_STARTS_WITH_NUMS,HELO_DYNAMIC_DHCP,HELO_DYNAMIC_HCC,
> HELO_DYNAMIC_IPADDR,RCVD_IN_NJABL_DUL autolearn=no version=3.0.3
Your FROM_STARTS_WITH_NUMS is present.
The debug shows the same
> debug: all '*From' addrs: XXXX@360SkinCare.com

So, yes, your problem is reproducible in version 3.0.3, and it also
appears to be fixed (or at least it goes away) in version 3.1.0

I'm guessing that something about that iso-8859-1 encoding of the
display name is causing the FRMO_STARTS_WITH_NUMS subroutine to get
confused about where/what the username is in 3.0.3. Since it's fixed
in 3.1.0, I choose not to dig any further than this.

What you might want to suggest to your user is, for a while, to switch
their From to something like
> From: "360* Skin Care" <XX...@360SkinCare.com>
so there's no need for any encoding.

In a month or so when SA 3.1.0 has been published and installed in the
majority of SA sites, then they can go back to the encoding and the
nice little degree sign, since the problem will have been fixed.

Bob Menschel

Re: Rule Advice

[de...@sirmacintosh.com]

On Jul 15, 2005, at 3:19 PM, Loren Wilton wrote:

>> If that username starts with six digits, it hits that rule, as shown
>> in Loren's example.
>>
>> Ah, here is the From header:
>>
>> From: 360° Skin Care <XX...@360SkinCare.com>
>>
>> Not 6 digits, but maybe the degree symbol is contributing. I'll  
>> advise not
>> to start the username with 360°.
>
> No, you misunderstood again.  The part the rule is hitting on is  
> the "XXXX"
> in the above example line.  Since the rule hit, I'm assuming this  
> wan't
> really "XXXX" in the original mail, but more like  
> "100000001monkeys" or the
> like.

Nope. It's a four letter name, like FRED. It didn't seem to be  
relevant to include the real full email address. Please let me know  
if you need it.

This is also why I asked if you were referring to the Message-Id  
header since that is the only address that starts with six digits.

I'm not sure what I keep misunderstanding. Can you elaborate?

Re: Rule Advice

[Loren Wilton <lw...@earthlink.net>]

> If that username starts with six digits, it hits that rule, as shown
> in Loren's example.
>
> Ah, here is the From header:
>
> From: 360° Skin Care <XX...@360SkinCare.com>
>
> Not 6 digits, but maybe the degree symbol is contributing. I'll advise not
to
> start the username with 360°.

No, you misunderstood again.  The part the rule is hitting on is the "XXXX"
in the above example line.  Since the rule hit, I'm assuming this wan't
really "XXXX" in the original mail, but more like "100000001monkeys" or the
like.

        Loren

Re: Rule Advice

[Kai Schaetzl <ma...@conactive.com>]

 wrote on Fri, 15 Jul 2005 09:52:26 -0700:

> Not 6 digits, but maybe the degree symbol is contributing. I'll   
> advise not to start the username with 360°.

That degree sign isn't allowed unescaped in there anyway.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Re: Rule Advice

[de...@sirmacintosh.com]

On Jul 14, 2005, at 6:05 PM, Robert Menschel wrote:

>>> header FROM_STARTS_WITH_NUMS     From:addr =~ /^\d{6,}\S+\@/i
>>> The email address used in the From header begins with 6 (or more)
>>> digits. it's not hitting on 360SkinCare.com, but on the user part of
>>> the email address (doesn't even look at the domain name).
>
> dsc> The From line didn't start with numbers (unless I'm missing
> dsc> your point). It was the username.
>
> Exactly -- the user part of the email address,
> "Firstname Lastname" <us...@domain.tld>
>                       ^^^^^^^^
> If that username starts with six digits, it hits that rule, as shown
> in Loren's example.

Ah, here is the From header:

> From: 360° Skin Care <XX...@360SkinCare.com>

Not 6 digits, but maybe the degree symbol is contributing. I'll  
advise not to start the username with 360°.

Re[4]: Rule Advice

[Robert Menschel <Ro...@Menschel.net>]

Hello dennis,

Thursday, July 14, 2005, 9:03:46 AM, you wrote:

dsc> On Jul 14, 2005, at 5:52 AM, Robert Menschel wrote:
>> header FROM_STARTS_WITH_NUMS     From:addr =~ /^\d{6,}\S+\@/i
>> The email address used in the From header begins with 6 (or more)
>> digits. it's not hitting on 360SkinCare.com, but on the user part of
>> the email address (doesn't even look at the domain name).

dsc> The From line didn't start with numbers (unless I'm missing
dsc> your point). It was the username.

Exactly -- the user part of the email address,
"Firstname Lastname" <us...@domain.tld>
                      ^^^^^^^^
If that username starts with six digits, it hits that rule, as shown
in Loren's example.

dsc>> dinged at least four times for the same issue. If the latter, can I
dsc>> improve something with the webmail configuration to avoid this since
dsc>> webmail is a very common tool?

>> You can place the original/dial-up IP address only into the
>> X-Originating-Ip that you are already using, and not a Received
>> header. The first Received header should then show the email coming
>> from your (not dynamic) webmail server instead.

dsc> Good suggestion. Which rule will no longer get triggered by this change?
The dynamic IP / dial-up rules will then be avoided.

Bob Menschel

Re: Re[2]: Rule Advice

[Loren Wilton <lw...@earthlink.net>]

> header FROM_STARTS_WITH_NUMS     From:addr =~ /^\d{6,}\S+\@/i

> The email address used in the From header begins with 6 (or more)
> digits. it's not hitting on 360SkinCare.com, but on the user part of
> the email address (doesn't even look at the domain name).

> The From line didn't start with numbers (unless I'm missing your point).
It
> was the username. Are you referring to the Message-Id? It's the only line
> that seems to appear that way.

You may be missing the point.  The "addr" qualifier says to look at the
address part of, in this case, the From line.  So the From line probably had
something along the general lines of

    From: "Anonomous P. Person" 1234567abuser@somehost.com

        Loren

Re: Re[2]: Rule Advice

[de...@sirmacintosh.com]

On Jul 14, 2005, at 5:52 AM, Robert Menschel wrote:

>> header FROM_STARTS_WITH_NUMS     From:addr =~ /^\d{6,}\S+\@/i
>
> The email address used in the From header begins with 6 (or more)
> digits. it's not hitting on 360SkinCare.com, but on the user part of
> the email address (doesn't even look at the domain name).

The From line didn't start with numbers (unless I'm missing your  
point). It was the username. Are you referring to the Message-Id?  
It's the only line that seems to appear that way.

> dsc> dinged at least four times for the same issue. If the latter,  
> can I
> dsc> improve something with the webmail configuration to avoid this  
> since
> dsc> webmail is a very common tool?
>
> You can place the original/dial-up IP address only into the
> X-Originating-Ip that you are already using, and not a Received
> header. The first Received header should then show the email coming
> from your (not dynamic) webmail server instead.

Good suggestion. Which rule will no longer get triggered by this change?

Thank you for your excellent response.