You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Ned Slider <ne...@unixmail.co.uk> on 2008/10/01 00:14:26 UTC

False Positive on SUBJECT_FUZZY_TION rule

Hi List,

I'm getting some FP hits against the SUBJECT_FUZZY_TION rule in 
25_replace.cf (SA 3.2.5, latest update):


header SUBJECT_FUZZY_TION       Subject =~ /<post P3>(?!tion)<T><I><O><N>/i
describe SUBJECT_FUZZY_TION     Attempt to obfuscate words in Subject:
replace_rules SUBJECT_FUZZY_TION


is hitting on ham from a mailing list with the following subject line:

Subject: Re: [CentOS] mount UFS partition on CentOS 5.

My regex isn't good enough to understand exactly what this rule is 
trying to achieve, but it looks to me like some kind of obfuscation of 
"tion" within a word, but it appears to be hitting on "partition" in 
this case to my untrained eye. A test email containing just the text 
"partition" in the subject line also hits this rule so would appear to 
confirm my assumptions.

Could anyone help me understand what this rule is designed to hit, and 
why it's hitting in this case?

Thanks.

Re: False Positive on SUBJECT_FUZZY_TION rule

Posted by Joseph Brennan <br...@columbia.edu>.

John Hardin <jh...@impsec.org> wrote:

>> header SUBJECT_FUZZY_TION       Subject =~ /<post 
P3>(?!tion)<T><I><O><N>/i
>>
>> is hitting on ham from a mailing list with the following subject line:
>>
>> Subject: Re: [CentOS] mount UFS partition on CentOS 5.
>>
>> A test email containing just the text "partition" in the subject line
>> also hits this rule so would appear to confirm my assumptions.
>
> I suggest you open a bug for this. It certainly should not hit, as the
> (?!tion) should keep it from matching an unobfuscated word...
>
> Does it hit unobfuscated "partitions"? How about "portion"?
>
> Perhaps it should be /<post P3>(?!tion)<T><I><O><N><S>?\b/i



Here, it matched three spam run subjects yesterday.  They were all
spam but only one was obfuscated.  Subjects were:


Listings for specialties such as:  general practitioners

No competition here, we're best on market.

The se_x!_est te.mp.ting te\e'n gI_rLs In sweet ha.rd,cO.re act!on.



Joseph Brennan
Columbia University Information Technology

Re: False Positive on SUBJECT_FUZZY_TION rule

Posted by Ned Slider <ne...@unixmail.co.uk>.

John Hardin wrote:
> On Tue, 30 Sep 2008, Ned Slider wrote:
> 
>> header SUBJECT_FUZZY_TION       Subject =~ /<post 
>> P3>(?!tion)<T><I><O><N>/i
>>
>> is hitting on ham from a mailing list with the following subject line:
>>
>> Subject: Re: [CentOS] mount UFS partition on CentOS 5.
>>
>> A test email containing just the text "partition" in the subject line 
>> also hits this rule so would appear to confirm my assumptions.
> 
> I suggest you open a bug for this. It certainly should not hit, as the 
> (?!tion) should keep it from matching an unobfuscated word...
> 

But I think it's treating the middle "ti" in "tition" as an obfuscation 
of "tion" hence the match in this case.

> Does it hit unobfuscated "partitions"? How about "portion"?
> 
> Perhaps it should be /<post P3>(?!tion)<T><I><O><N><S>?\b/i
> 

It hits partition, partitions, petition, repetition etc (basically any 
word ending "tition(s)"), but does not hit portion, potion, nation, 
notion or reputation, for example.

I'm happy to open a bug for this if that's appropriate, but the rule 
does appear to be doing what it's designed to do albeit with some false 
positives.

Re: False Positive on SUBJECT_FUZZY_TION rule

Posted by John Hardin <jh...@impsec.org>.

On Tue, 30 Sep 2008, Ned Slider wrote:

> header SUBJECT_FUZZY_TION       Subject =~ /<post P3>(?!tion)<T><I><O><N>/i
>
> is hitting on ham from a mailing list with the following subject line:
>
> Subject: Re: [CentOS] mount UFS partition on CentOS 5.
>
> A test email containing just the text "partition" in the subject line 
> also hits this rule so would appear to confirm my assumptions.

I suggest you open a bug for this. It certainly should not hit, as the 
(?!tion) should keep it from matching an unobfuscated word...

Does it hit unobfuscated "partitions"? How about "portion"?

Perhaps it should be /<post P3>(?!tion)<T><I><O><N><S>?\b/i

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Government cannot grant rights. Government can only limit, infringe
   or suppress rights.
-----------------------------------------------------------------------
  35 days until the Presidential Election

RE: False Positive on SUBJECT_FUZZY_TION rule

Posted by Michael Hutchinson <mh...@manux.co.nz>.

> -----Original Message-----
> From: Ned Slider [mailto:ned@unixmail.co.uk]
> Sent: 1 October 2008 12:15 p.m.
> To: users@spamassassin.apache.org
> Subject: Re: False Positive on SUBJECT_FUZZY_TION rule
> 
> Ned Slider wrote:
> > Hi List,
> >
> > I'm getting some FP hits against the SUBJECT_FUZZY_TION rule in
> > 25_replace.cf (SA 3.2.5, latest update):
> >
> >
> > header SUBJECT_FUZZY_TION       Subject =~ /<post
> P3>(?!tion)<T><I><O><N>/i
> > describe SUBJECT_FUZZY_TION     Attempt to obfuscate words in
Subject:
> > replace_rules SUBJECT_FUZZY_TION
> >
> >
> > is hitting on ham from a mailing list with the following subject
line:
> >
> > Subject: Re: [CentOS] mount UFS partition on CentOS 5.
> >
> > My regex isn't good enough to understand exactly what this rule is
> > trying to achieve, but it looks to me like some kind of obfuscation
of
> > "tion" within a word, but it appears to be hitting on "partition" in
> > this case to my untrained eye. A test email containing just the text
> > "partition" in the subject line also hits this rule so would appear
to
> > confirm my assumptions.
> >
> > Could anyone help me understand what this rule is designed to hit,
and
> > why it's hitting in this case?
> >
> > Thanks.
> >
> 
> 
> Replying to my own thread...
> 
> I'm assuming this rule is interpreting "tition" as an obfuscation of
> "tion" hence why it hits against "partition" as if it were an
> obfuscation of "partion".
> 
> Looking at some very crude stats for this rule against a recent corpus
> of ~1700 ham and ~1800 spam on my server, I see 13 FP hits against ham
> and only 1 hit against spam (an obfuscation of erection). Admittedly
my
> ham corpus was a technical mailing list likely to contain the term
> "partition" given it's common usage within IT and triggering of the
rule
> in no way got close to tagging any ham as spam.
> 
> Anyway, to me this rule doesn't appear to represent good value so I'll
> probably just adjust the score to 0.001 and monitor it unless someone
> can suggest a method to prevent it hitting against legitimate words
such
> as partition.

Hello Ned.

Lowering the score to something that will not be relevant at total score
time is a good idea for testing any rules. As you've done a corpus test,
and proven that it hits more Ham than Spam (by a significant figure)
this proves the rule doesn't really work for your site. If it were my
site, I'd disable the rule based on the corpus test. 

Cheers,
Mike

Re: False Positive on SUBJECT_FUZZY_TION rule

Posted by Ned Slider <ne...@unixmail.co.uk>.

Ned Slider wrote:
> Hi List,
> 
> I'm getting some FP hits against the SUBJECT_FUZZY_TION rule in 
> 25_replace.cf (SA 3.2.5, latest update):
> 
> 
> header SUBJECT_FUZZY_TION       Subject =~ /<post P3>(?!tion)<T><I><O><N>/i
> describe SUBJECT_FUZZY_TION     Attempt to obfuscate words in Subject:
> replace_rules SUBJECT_FUZZY_TION
> 
> 
> is hitting on ham from a mailing list with the following subject line:
> 
> Subject: Re: [CentOS] mount UFS partition on CentOS 5.
> 
> My regex isn't good enough to understand exactly what this rule is 
> trying to achieve, but it looks to me like some kind of obfuscation of 
> "tion" within a word, but it appears to be hitting on "partition" in 
> this case to my untrained eye. A test email containing just the text 
> "partition" in the subject line also hits this rule so would appear to 
> confirm my assumptions.
> 
> Could anyone help me understand what this rule is designed to hit, and 
> why it's hitting in this case?
> 
> Thanks.
> 

Replying to my own thread...

I'm assuming this rule is interpreting "tition" as an obfuscation of 
"tion" hence why it hits against "partition" as if it were an 
obfuscation of "partion".

Looking at some very crude stats for this rule against a recent corpus 
of ~1700 ham and ~1800 spam on my server, I see 13 FP hits against ham 
and only 1 hit against spam (an obfuscation of erection). Admittedly my 
ham corpus was a technical mailing list likely to contain the term 
"partition" given it's common usage within IT and triggering of the rule 
in no way got close to tagging any ham as spam.

Anyway, to me this rule doesn't appear to represent good value so I'll 
probably just adjust the score to 0.001 and monitor it unless someone 
can suggest a method to prevent it hitting against legitimate words such 
as partition.