You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Scheidell <mi...@secnap.com> on 2011/07/21 21:41:34 UTC
if you don't watch it, legit mail can be blocked
yes, I hate those silly knock off spams.
but, this rule seems to be way too aggressive.
50_scores.cf:score FS_REPLICA 1.630 3.599 2.028 3.599 # n=2
50_scores.cf:score FS_REPLICAWATCH 3.237 1.715 1.733 3.015 # n=2
72_active.cf:##{ FS_REPLICA
72_active.cf:header FS_REPLICA Subject =~ /replica/i
72_active.cf:describe FS_REPLICA Subject says "replica"
72_active.cf:##} FS_REPLICA
72_active.cf:##{ FS_REPLICAWATCH
72_active.cf:header FS_REPLICAWATCH Subject =~ /replica watch/i
72_active.cf:describe FS_REPLICAWATCH Subject says Replica watch
72_active.cf:##} FS_REPLICAWATCH
you need ONE or the other, maybe, if a subject line says 'replica
watch', both rules hit, and you have a 6.6 point score.
if one hits (replication.. as in database replication, disaster recovery
replication, civil war replica. ANYTHING, you have a 3.6 point score.
anyone else think that ANY rule that scores above a 3 is asking for trouble?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: if you don't watch it, legit mail can be blocked
Posted by John Hardin <jh...@impsec.org>.
On Fri, 22 Jul 2011, darxus@chaosreigns.com wrote:
> I'm kind of disappointed that it looks like nobody with commit access
> has stepped up to make this change. Although it has only been a day.
> But before we all forget about this....
Absent a formal bug report, I (and possibly others) are reluctant to go
mucking about in others' sandboxes.
A bug was filed, and I checked in some changes that should address the
problem. It'll probably be a couple of days before it goes out in an
update.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"A well educated Electorate, being necessary to the liberty of a
free State, the Right of the People to Keep and Read Books,
shall not be infringed."
...means only registered voters can read books, and only those books
obtained with State permission from State-controlled bookstores?
-----------------------------------------------------------------------
226 days since the first successful private orbital launch (SpaceX)
Re: if you don't watch it, legit mail can be blocked
Posted by da...@chaosreigns.com.
On 07/21, David F. Skoll wrote:
> On Thu, 21 Jul 2011 15:41:34 -0400
> Michael Scheidell <mi...@secnap.com> wrote:
>
> > 72_active.cf:header FS_REPLICA Subject =~ /replica/i
>
> > anyone else think that ANY rule that scores above a 3 is asking for
> > trouble?
>
> Yikes!
>
> I think any rule that looks like Subject =~ /string/i is asking for
> trouble. At the very least, I would use Subject =~ /\bstring\b/i if
> the string is supposed to be a word.
I'm kind of disappointed that it looks like nobody with commit access has
stepped up to make this change. Although it has only been a day. But
before we all forget about this....
The users list was definitely the right place to first bring this up, but
now that there has been consensus that something should probably be
changed in spamassassin, the best way to increase the chances of that
happening are to open a bug against spamassassin.
On the main spamassassin page, there's a "Bugs" link. Anybody can submit
it.
--
"Let's just say that if complete and utter chaos was lightning, then
he'd be the sort to stand on a hilltop in a thunderstorm wearing wet
copper armour and shouting 'All gods are bastards'." - The Color of Magic
http://www.ChaosReigns.com
Re: if you don't watch it, legit mail can be blocked
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Thu, 2011-07-21 at 15:45 -0400, David F. Skoll wrote:
> On Thu, 21 Jul 2011 15:41:34 -0400 Michael Scheidell wrote:
>
> > 72_active.cf:header FS_REPLICA Subject =~ /replica/i
>
> > anyone else think that ANY rule that scores above a 3 is asking for
> > trouble?
>
> Yikes!
>
> I think any rule that looks like Subject =~ /string/i is asking for
> trouble. At the very least, I would use Subject =~ /\bstring\b/i if
> the string is supposed to be a word.
My thought exactly reading the OP and its FP samples. The rules are
missing word boundaries.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: if you don't watch it, legit mail can be blocked
Posted by "David F. Skoll" <df...@roaringpenguin.com>.
On Thu, 21 Jul 2011 15:41:34 -0400
Michael Scheidell <mi...@secnap.com> wrote:
> 72_active.cf:header FS_REPLICA Subject =~ /replica/i
> anyone else think that ANY rule that scores above a 3 is asking for
> trouble?
Yikes!
I think any rule that looks like Subject =~ /string/i is asking for
trouble. At the very least, I would use Subject =~ /\bstring\b/i if
the string is supposed to be a word.
Regards,
David.
Re: if you don't watch it, legit mail can be blocked
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
>On 07/21, Michael Scheidell wrote:
>> but, this rule seems to be way too aggressive.
>>
>> 50_scores.cf:score FS_REPLICA 1.630 3.599 2.028 3.599 # n=2
>> 50_scores.cf:score FS_REPLICAWATCH 3.237 1.715 1.733 3.015 # n=2
>
>> 72_active.cf:header FS_REPLICA Subject =~ /replica/i
>
>> 72_active.cf:describe FS_REPLICAWATCH Subject says Replica watch
On 21.07.11 16:07, darxus@chaosreigns.com wrote:
> SPAM% HAM% S/O RANK SCORE NAME
> 7.5986 0 1.000 0.92 3.24 FS_REPLICAWATCH
> 9.8513 0.0143 0.999 0.92 1.63 FS_REPLICA
[...]
>But yes, it does look like this pair of rules could be improved. It is an
>unfortunate problem that score generation doesn't have a good way of
>accounting for heavy overlap.
That's why we need 1+1!=2 checking.
This is not the first time some rules overlap.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
Re: if you don't watch it, legit mail can be blocked
Posted by da...@chaosreigns.com.
On 07/21, Michael Scheidell wrote:
> but, this rule seems to be way too aggressive.
>
> 50_scores.cf:score FS_REPLICA 1.630 3.599 2.028 3.599 # n=2
> 50_scores.cf:score FS_REPLICAWATCH 3.237 1.715 1.733 3.015 # n=2
> 72_active.cf:header FS_REPLICA Subject =~ /replica/i
> 72_active.cf:describe FS_REPLICAWATCH Subject says Replica watch
Scores are automatically generated based on optimal performance based on
actual emails: http://wiki.apache.org/spamassassin/NightlyMassCheck
Statistics of the results are regularly generated:
http://ruleqa.spamassassin.org/?daterev=20110716&rule=%2FFS_REPLICA
SPAM% HAM% S/O RANK SCORE NAME
7.5986 0 1.000 0.92 3.24 FS_REPLICAWATCH
9.8513 0.0143 0.999 0.92 1.63 FS_REPLICA
So FS_REPLICA hits 9.8513% of spam while hitting 0.0143% of ham. That's
less than 1 in 2500 hams (0.04%), which is the overall false positive rate
SpamAssassin aims for.
But yes, it does look like this pair of rules could be improved. It is an
unfortunate problem that score generation doesn't have a good way of
accounting for heavy overlap.
> anyone else think that ANY rule that scores above a 3 is asking for trouble?
There has been talk of limiting that kind of thing.
--
"Where are you going and what do you wish?"
- The Old Moon, to Winkin' Blinkin' and Nod
http://www.ChaosReigns.com