You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2016/07/10 15:36:33 UTC
[Bug 7336] New: LOTTO_AGENT needs to be modified.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7336
Bug ID: 7336
Summary: LOTTO_AGENT needs to be modified.
Product: Spamassassin
Version: unspecified
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Rules
Assignee: dev@spamassassin.apache.org
Reporter: mrl@psfc.mit.edu
I recently had resumes sent to my site, that hit both LOTTO_AGENT and
ADVANCE_FEE_3_NEW_MONEY, causing false positives. My log scan shows that
LOTTO_AGENT rarely hits spam. Only 90 spam messages hit that rule, out of
90.000 received. The spam scores were high enough to block those spam
messages, without the need for LOTTO_AGENT.
I did a google search for the specific job description that hit LOTTO_AGENT,
which was "grants manager", and could not find a single piece of spam with that
job. I suggest that either that score be lowered, the rule modified to
eliminate job descriptions that aren't found in spam messages, or the rule
totally eliminated. Thanks very much.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7336] LOTTO_AGENT needs to be modified.
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7336
--- Comment #4 from Mark London <mr...@psfc.mit.edu> ---
Oops. I didn't understand that URL gets added to bug entry itself, not the
comment.
http://spamassassin.1065346.n5.nabble.com/Claims-manager-LOTTO-AGENT-td102231.html
This person had the similar problem, that LOTTO_AGENT got hit with a
ADVANCE_FEE_2_NEW_MONEY at the same time. In my case, it was
ADVANCE_FEE_3_NEW_MONEY. I searched my logs, and could only find a single case
of ADVANCE_FEE_3_NEW_MONEY hitting at the same time as ADVANCE_FEE_3_NEW_MONEY.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7336] LOTTO_AGENT needs to be modified.
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7336
--- Comment #5 from John Hardin <jh...@impsec.org> ---
(In reply to Mark London from comment #4)
> I searched my logs, and could only find a single
> case of ADVANCE_FEE_3_NEW_MONEY hitting at the same time as
> ADVANCE_FEE_3_NEW_MONEY.
I expect you meant AF2 and AF3 hitting at the same time. That overlap was fixed
a long time ago, you should not be seeing it at all. How up-to-date are your
rules?
Again, are you willing to provide FP samples? Privately if they aren't suitable
for adding to the bugzilla.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7336] LOTTO_AGENT needs to be modified.
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7336
John Hardin <jh...@impsec.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jhardin@impsec.org
--- Comment #1 from John Hardin <jh...@impsec.org> ---
This sort of thing is generally better handled on the users mailing list.
Are you willing to provide some FP samples? If they are sensitive you can send
them directly to me rather than posting them publicly.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7336] LOTTO_AGENT needs to be modified.
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7336
Mark London <mr...@psfc.mit.edu> changed:
What |Removed |Added
----------------------------------------------------------------------------
URL| |http://spamassassin.1065346
| |.n5.nabble.com/Claims-manag
| |er-LOTTO-AGENT-td102231.htm
| |l
CC| |mrl@psfc.mit.edu
--- Comment #3 from Mark London <mr...@psfc.mit.edu> ---
The URL attached to this message, shows that someone complained about the same
thing, back in 2012. At that time, the score was reduced. But for some
reason, it was raised again.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7336] LOTTO_AGENT needs to be modified.
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7336
--- Comment #2 from John Hardin <jh...@impsec.org> ---
Reduced the score limit a bit pending FP examples.
$ svn commit
Sending 20_lotsa_money.cf
Transmitting file data .
Committed revision 1752103.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7336] LOTTO_AGENT needs to be modified.
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7336
Giovanni Bechis <gi...@paclan.it> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #9 from Giovanni Bechis <gi...@paclan.it> ---
Final fix committed in r1755382.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7336] LOTTO_AGENT needs to be modified.
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7336
--- Comment #7 from John Hardin <jh...@impsec.org> ---
Some more tuning.
$ svn commit
Sending 20_lotsa_money.cf
Transmitting file data .
Committed revision 1755382.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7336] LOTTO_AGENT needs to be modified.
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7336
--- Comment #6 from Mark London <mr...@psfc.mit.edu> ---
(In reply to John Hardin from comment #5)
> (In reply to Mark London from comment #4)
> > I searched my logs, and could only find a single
> > case of ADVANCE_FEE_3_NEW_MONEY hitting at the same time as
> > ADVANCE_FEE_3_NEW_MONEY.
>
> I expect you meant AF2 and AF3 hitting at the same time. That overlap was
> fixed a long time ago, you should not be seeing it at all. How up-to-date
> are your rules?
>
> Again, are you willing to provide FP samples? Privately if they aren't
> suitable for adding to the bugzilla.
Sorry I mean to say that I could find only one single case of
ADVANCE_FEE_3_NEW_MONEY hitting at the same time as LOTTO_AGENT.
ADVANCE_FEE_3_NEW_MONEY hit this message with a resume, because LOTS_OF_MONEY
was present. Also, because __ADVANCE_FEE_3_NEW hit, because it's score was >
2. The 3 hits that caused _ADVANCE_FEE_3_NEW to occur, were LOTTO_AGENT,
__DEAL (financial transaction), and __FRAUD_IRT (Dear Sir). Those 3 made the
score > 2.
LOTTO_AGENT only hit 75 out of about 90000 spam messages in my log.
61 of those messages had FILL_THIS_FORM
55 of those messages had US_DOLLARS_3
43 of those messages had FROM_MISSP_REPLYTO
35 of those messages had YOU_WON
28 of those messages had FROM_MISSP_USER
26 of those messages had DEAR_BENEFICIARY
12 of those messages had FREEMAIL_FORGED_REPLYTO
If I filter out all of the LOTTO_AGENT spam messages that had either
US_DOLLARS_3 or FILL_THIS_FORM, I get only get 4 spam messages. So those 2
rules are knew for LOTTO_AGENT being likely to be a spam. For the 4 that
didn't hit those 2 rules:
3 of those had FREEMAIL_FORGED_REPLYTO
The 4th had DEAR_BENEFICIARY and HK_RANDOM_FROM
It seems to me, given the low amounts of hits for LOTTO_AGENT, it's score
should be dependent on other rules, such as FILL_THIS_FORM or US_DOLLARS_3.
Personally, I have a lot of rules dependent on the size of the message. A
resume is a fairly large file, while spam like the ones that LOTTO_AGENT are
likely to hit, tend to be small. IMHO.
FWIW, What is 73_sandbox_manual_scores.cf? I see that ADVANCE_FEE_3_NEW_MONEY
has a lower score there, if I comment out a line.
--
You are receiving this mail because:
You are the assignee for the bug.
[Bug 7336] LOTTO_AGENT needs to be modified.
Posted by bu...@bugzilla.spamassassin.org.
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7336
Giovanni Bechis <gi...@paclan.it> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |giovanni@paclan.it
--- Comment #8 from Giovanni Bechis <gi...@paclan.it> ---
More tuning committed 1.5 years ago, time to close this bz ?
--
You are receiving this mail because:
You are the assignee for the bug.