You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Axb <ax...@gmail.com> on 2015/03/16 11:05:24 UTC

Re: URI_DOTDOT_LOW_CNTRST false positives?

On 03/16/2015 10:54 AM, Per Jessen wrote:
> I've recently upgraded to SA 3.4.0 - I'm seeing URI_DOTDOT_LOW_CNTRST
> scoring on many legitimate mails. E.g. from linkedin and distrelec.
>
> For instance:
> http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml
>
> When the above was processed I noticed this in the log:
>
> spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. type=A
> class=IN) failed: a domain name contains a null label
>
> As far as I can tell, the email above contains no such uri.
>
> I grep'ed a bit and found some more:
>
> http://files.jessen.ch/more-dotdot.txt
>
> I'm pretty certain 99% of those are false positives.  Probably a hiccup
> on my installation, I was just wondering if anyone else is seeing this?

Which .cf file is this in?
Can't find it in SA trunk's .cf files.

Re: URI_DOTDOT_LOW_CNTRST false positives?

Posted by Axb <ax...@gmail.com>.

On 03/16/2015 11:43 AM, Per Jessen wrote:
> Axb wrote:
>
>> On 03/16/2015 11:28 AM, Per Jessen wrote:
>>> Axb wrote:
>>>
>>>> On 03/16/2015 11:05 AM, Axb wrote:
>>>>> On 03/16/2015 10:54 AM, Per Jessen wrote:
>>>>>> I've recently upgraded to SA 3.4.0 - I'm seeing
>>>>>> URI_DOTDOT_LOW_CNTRST scoring on many legitimate mails. E.g. from
>>>>>> linkedin and distrelec.
>>>>>>
>>>>>> For instance:
>>>>>>
>>>
> http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml
>>>>>>
>>>>>>
>>>>>> When the above was processed I noticed this in the log:
>>>>>>
>>>>>> spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com.
>>>>>> type=A class=IN) failed: a domain name contains a null label
>>>>>>
>>>>>> As far as I can tell, the email above contains no such uri.
>>>>>>
>>>>>> I grep'ed a bit and found some more:
>>>>>>
>>>>>> http://files.jessen.ch/more-dotdot.txt
>>>>>>
>>>>>> I'm pretty certain 99% of those are false positives.  Probably a
>>>>>> hiccup on my installation, I was just wondering if anyone else is
>>>>>> seeing this?
>>>>>
>>>>> Which .cf file is this in?
>>>>> Can't find it in SA trunk's .cf files.
>>>>>
>>>>
>>>> ok.. sorry  - found it but atm it seems it isn't being autopromoted
>>>>
>>>>
>>>> have you run a recent sa-update ?
>>>
>>> I think the ruleset is from the tarball from the apache page.  Hmm,
>>> it would appear to be quite old ??
>>>
>>>
> http://mirror.reverse.net/pub/apache//spamassassin/source/Mail-SpamAssassin-rules-3.4.0.r1565117.tgz
>>>
>>> Dated 20Feb2014.
>>>
>>> Is there a recent tarball somewhere?
>>
>> iirc, that is the 3.4 release rules version
>>
>> sa-update would provide the latest ruleset
>
> Yup, got it.  Might not be a bad idea if the apache downloads page had a
> link to the most recent rule-set too. (or even instead of the
> original).

for review before applying I often use

sa-update -D --updatedir /tmp/sa-work

This gets the latest tarball and unpacks the rules
Should be trivial to hack sa-update so it just gets the latest archive.

Putting on the downloads page means it has to be watched that all 
mirrors are in sync... the update mirrors are easier to control.

> Anyway, problem solved, thanks.
My pleasure...


Axb

Re: URI_DOTDOT_LOW_CNTRST false positives?

Posted by Per Jessen <pe...@computer.org>.

Axb wrote:

> On 03/16/2015 11:28 AM, Per Jessen wrote:
>> Axb wrote:
>>
>>> On 03/16/2015 11:05 AM, Axb wrote:
>>>> On 03/16/2015 10:54 AM, Per Jessen wrote:
>>>>> I've recently upgraded to SA 3.4.0 - I'm seeing
>>>>> URI_DOTDOT_LOW_CNTRST scoring on many legitimate mails. E.g. from
>>>>> linkedin and distrelec.
>>>>>
>>>>> For instance:
>>>>>
>>
http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml
>>>>>
>>>>>
>>>>> When the above was processed I noticed this in the log:
>>>>>
>>>>> spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com.
>>>>> type=A class=IN) failed: a domain name contains a null label
>>>>>
>>>>> As far as I can tell, the email above contains no such uri.
>>>>>
>>>>> I grep'ed a bit and found some more:
>>>>>
>>>>> http://files.jessen.ch/more-dotdot.txt
>>>>>
>>>>> I'm pretty certain 99% of those are false positives.  Probably a
>>>>> hiccup on my installation, I was just wondering if anyone else is
>>>>> seeing this?
>>>>
>>>> Which .cf file is this in?
>>>> Can't find it in SA trunk's .cf files.
>>>>
>>>
>>> ok.. sorry  - found it but atm it seems it isn't being autopromoted
>>>
>>>
>>> have you run a recent sa-update ?
>>
>> I think the ruleset is from the tarball from the apache page.  Hmm,
>> it would appear to be quite old ??
>>
>>
http://mirror.reverse.net/pub/apache//spamassassin/source/Mail-SpamAssassin-rules-3.4.0.r1565117.tgz
>>
>> Dated 20Feb2014.
>>
>> Is there a recent tarball somewhere?
> 
> iirc, that is the 3.4 release rules version
> 
> sa-update would provide the latest ruleset

Yup, got it.  Might not be a bad idea if the apache downloads page had a
link to the most recent rule-set too. (or even instead of the
original).

Anyway, problem solved, thanks.


-- 
Per Jessen, Zürich (8.4°C)
http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.

Re: URI_DOTDOT_LOW_CNTRST false positives?

Posted by Axb <ax...@gmail.com>.

On 03/16/2015 11:28 AM, Per Jessen wrote:
> Axb wrote:
>
>> On 03/16/2015 11:05 AM, Axb wrote:
>>> On 03/16/2015 10:54 AM, Per Jessen wrote:
>>>> I've recently upgraded to SA 3.4.0 - I'm seeing
>>>> URI_DOTDOT_LOW_CNTRST scoring on many legitimate mails. E.g. from
>>>> linkedin and distrelec.
>>>>
>>>> For instance:
>>>>
> http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml
>>>>
>>>>
>>>> When the above was processed I noticed this in the log:
>>>>
>>>> spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. type=A
>>>> class=IN) failed: a domain name contains a null label
>>>>
>>>> As far as I can tell, the email above contains no such uri.
>>>>
>>>> I grep'ed a bit and found some more:
>>>>
>>>> http://files.jessen.ch/more-dotdot.txt
>>>>
>>>> I'm pretty certain 99% of those are false positives.  Probably a
>>>> hiccup on my installation, I was just wondering if anyone else is
>>>> seeing this?
>>>
>>> Which .cf file is this in?
>>> Can't find it in SA trunk's .cf files.
>>>
>>
>> ok.. sorry  - found it but atm it seems it isn't being autopromoted
>>
>>
>> have you run a recent sa-update ?
>
> I think the ruleset is from the tarball from the apache page.  Hmm, it
> would appear to be quite old ??
>
> http://mirror.reverse.net/pub/apache//spamassassin/source/Mail-SpamAssassin-rules-3.4.0.r1565117.tgz
>
> Dated 20Feb2014.
>
> Is there a recent tarball somewhere?

iirc, that is the 3.4 release rules version

sa-update would provide the latest ruleset

Re: URI_DOTDOT_LOW_CNTRST false positives?

Posted by Per Jessen <pe...@computer.org>.

Axb wrote:

> On 03/16/2015 11:05 AM, Axb wrote:
>> On 03/16/2015 10:54 AM, Per Jessen wrote:
>>> I've recently upgraded to SA 3.4.0 - I'm seeing
>>> URI_DOTDOT_LOW_CNTRST scoring on many legitimate mails. E.g. from
>>> linkedin and distrelec.
>>>
>>> For instance:
>>>
http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml
>>>
>>>
>>> When the above was processed I noticed this in the log:
>>>
>>> spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. type=A
>>> class=IN) failed: a domain name contains a null label
>>>
>>> As far as I can tell, the email above contains no such uri.
>>>
>>> I grep'ed a bit and found some more:
>>>
>>> http://files.jessen.ch/more-dotdot.txt
>>>
>>> I'm pretty certain 99% of those are false positives.  Probably a
>>> hiccup on my installation, I was just wondering if anyone else is
>>> seeing this?
>>
>> Which .cf file is this in?
>> Can't find it in SA trunk's .cf files.
>>
> 
> ok.. sorry  - found it but atm it seems it isn't being autopromoted
> 
> 
> have you run a recent sa-update ?

I think the ruleset is from the tarball from the apache page.  Hmm, it
would appear to be quite old ?? 

http://mirror.reverse.net/pub/apache//spamassassin/source/Mail-SpamAssassin-rules-3.4.0.r1565117.tgz

Dated 20Feb2014. 

Is there a recent tarball somewhere?


-- 
Per Jessen, Zürich (8.2°C)
http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.

Re: URI_DOTDOT_LOW_CNTRST false positives?

Posted by Axb <ax...@gmail.com>.

On 03/16/2015 11:05 AM, Axb wrote:
> On 03/16/2015 10:54 AM, Per Jessen wrote:
>> I've recently upgraded to SA 3.4.0 - I'm seeing URI_DOTDOT_LOW_CNTRST
>> scoring on many legitimate mails. E.g. from linkedin and distrelec.
>>
>> For instance:
>> http://files.jessen.ch/Tektronix-4-Kanal-Oszilloskop-deutlich-reduziert-TDS-2024C.eml
>>
>>
>> When the above was processed I noticed this in the log:
>>
>> spamd[865]: dns: new_dns_packet (domain=chde..distrelec.com. type=A
>> class=IN) failed: a domain name contains a null label
>>
>> As far as I can tell, the email above contains no such uri.
>>
>> I grep'ed a bit and found some more:
>>
>> http://files.jessen.ch/more-dotdot.txt
>>
>> I'm pretty certain 99% of those are false positives.  Probably a hiccup
>> on my installation, I was just wondering if anyone else is seeing this?
>
> Which .cf file is this in?
> Can't find it in SA trunk's .cf files.
>

ok.. sorry  - found it but atm it seems it isn't being autopromoted


have you run a recent sa-update ?

John Hardin, your sandbox limit score of 2.5 seems sorta high..