You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jh...@apache.org on 2011/02/21 18:19:54 UTC
svn commit: r1073076 -
/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
Author: jhardin
Date: Mon Feb 21 17:19:54 2011
New Revision: 1073076
URL: http://svn.apache.org/viewvc?rev=1073076&view=rev
Log:
Allow obfu rule to be published
Modified:
spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf?rev=1073076&r1=1073075&r2=1073076&view=diff
==============================================================================
--- spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf (original)
+++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf Mon Feb 21 17:19:54 2011
@@ -25,5 +25,5 @@ describe URI_OBFU_TLD URI top-
body URI_DEOBFU_INSTR /(?:delete|remove|take\sout)(?:\sthe)?\sspaces/i
describe URI_DEOBFU_INSTR How to deobfuscate this URI
-tflags URI_DEOBFU_INSTR nopublish
+#tflags URI_DEOBFU_INSTR nopublish
Re: svn commit: r1073076 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
Posted by John Hardin <jh...@impsec.org>.
On Mon, 21 Feb 2011, Warren Togami Jr. wrote:
> On 02/21/2011 10:06 PM, Warren Togami Jr. wrote:
>> I agree it would be wise to allow this to auto-promote, but given the
>> small size of our ham corpus and the fact that this pattern could rarely
>> but legitimately appear in non-spam, perhaps we should manually cap its
>> score to be on the safe side.
>>
>> To throw out an arbitrary number I'd suggest 0.9 points?
>>
>> Warren
>
> http: //ruleqa.spamassassin.org/20110221-r1072884-n/T_URI_DEOBFU_INSTR/detail
> http: //ruleqa.spamassassin.org/20110221-r1072884-n/URI_OBFU_TLD/detail
>
> On second thought, examine the overlap of these rules. Nearly all such cases
> are already caught by high scoring rules like PYZOR_CHECK or SOUGHT. Given
> that both rules cannot be 100% correct and the fact that they are numerically
> redundant, I advise caution in allowing these to be auto-promoted and
> especially auto-scored.
>
> Perhaps we are better off leaving easy to catch temporary campaign patterns
> like these to tools better equipped to handle them like SOUGHT or PYZOR.
This I disagree with. How do you know the obfuscations these rules test
for are only temporary? Obfuscating URLs with spaces has a _long_ history.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Health Care _is_ a right - the government has no business keeping
you from getting it. But forcing somebody else to pay for your
health care at gunpoint (i.e. through taxation) is _not_ a right.
-----------------------------------------------------------------------
Today: George Washington's 279th Birthday
Re: svn commit: r1073076 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
Posted by "Warren Togami Jr." <wt...@gmail.com>.
On 02/21/2011 10:06 PM, Warren Togami Jr. wrote:
> I agree it would be wise to allow this to auto-promote, but given the
> small size of our ham corpus and the fact that this pattern could rarely
> but legitimately appear in non-spam, perhaps we should manually cap its
> score to be on the safe side.
>
> To throw out an arbitrary number I'd suggest 0.9 points?
>
> Warren
http://ruleqa.spamassassin.org/20110221-r1072884-n/T_URI_DEOBFU_INSTR/detail
http://ruleqa.spamassassin.org/20110221-r1072884-n/URI_OBFU_TLD/detail
On second thought, examine the overlap of these rules. Nearly all such
cases are already caught by high scoring rules like PYZOR_CHECK or
SOUGHT. Given that both rules cannot be 100% correct and the fact that
they are numerically redundant, I advise caution in allowing these to be
auto-promoted and especially auto-scored.
Perhaps we are better off leaving easy to catch temporary campaign
patterns like these to tools better equipped to handle them like SOUGHT
or PYZOR.
Warren
Re: svn commit: r1073076 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
Posted by John Hardin <jh...@impsec.org>.
On Mon, 21 Feb 2011, Warren Togami Jr. wrote:
> I agree it would be wise to allow this to auto-promote, but given the small
> size of our ham corpus and the fact that this pattern could rarely but
> legitimately appear in non-spam, perhaps we should manually cap its score to
> be on the safe side.
How do you manually cap a score vs. manually setting a score to a specific
value? I'm not aware of such a capability, and would welcome it.
> To throw out an arbitrary number I'd suggest 0.9 points?
Sounds reasonable to me.
> Warren
>
> On 02/21/2011 07:19 AM, jhardin@apache.org wrote:
>> Author: jhardin
>> Date: Mon Feb 21 17:19:54 2011
>> New Revision: 1073076
>>
>> URL: http://svn.apache.org/viewvc?rev=1073076&view=rev
>> Log:
>> Allow obfu rule to be published
>>
>> Modified:
>> spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
>>
>> Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
>> URL:
>> http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf?rev=1073076&r1=1073075&r2=1073076&view=diff
>> ==============================================================================
>> --- spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
>> (original)
>> +++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf Mon Feb
>> 21 17:19:54 2011
>> @@ -25,5 +25,5 @@ describe URI_OBFU_TLD URI top-
>>
>> body URI_DEOBFU_INSTR
>> /(?:delete|remove|take\sout)(?:\sthe)?\sspaces/i
>> describe URI_DEOBFU_INSTR How to deobfuscate this URI
>> -tflags URI_DEOBFU_INSTR nopublish
>> +#tflags URI_DEOBFU_INSTR nopublish
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Health Care _is_ a right - the government has no business keeping
you from getting it. But forcing somebody else to pay for your
health care at gunpoint (i.e. through taxation) is _not_ a right.
-----------------------------------------------------------------------
Today: George Washington's 279th Birthday
Re: svn commit: r1073076 - /spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
Posted by "Warren Togami Jr." <wt...@gmail.com>.
I agree it would be wise to allow this to auto-promote, but given the
small size of our ham corpus and the fact that this pattern could rarely
but legitimately appear in non-spam, perhaps we should manually cap its
score to be on the safe side.
To throw out an arbitrary number I'd suggest 0.9 points?
Warren
On 02/21/2011 07:19 AM, jhardin@apache.org wrote:
> Author: jhardin
> Date: Mon Feb 21 17:19:54 2011
> New Revision: 1073076
>
> URL: http://svn.apache.org/viewvc?rev=1073076&view=rev
> Log:
> Allow obfu rule to be published
>
> Modified:
> spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
>
> Modified: spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf
> URL: http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf?rev=1073076&r1=1073075&r2=1073076&view=diff
> ==============================================================================
> --- spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf (original)
> +++ spamassassin/trunk/rulesrc/sandbox/jhardin/20_uri_obfu_ws.cf Mon Feb 21 17:19:54 2011
> @@ -25,5 +25,5 @@ describe URI_OBFU_TLD URI top-
>
> body URI_DEOBFU_INSTR /(?:delete|remove|take\sout)(?:\sthe)?\sspaces/i
> describe URI_DEOBFU_INSTR How to deobfuscate this URI
> -tflags URI_DEOBFU_INSTR nopublish
> +#tflags URI_DEOBFU_INSTR nopublish
>
>
>