You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Axb <ax...@gmail.com> on 2014/07/30 14:21:52 UTC
TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Received: from DUB004-OMC4S34.hotmail.com (dub004-omc4s34.hotmail.com
[157.55.2.109])
X-Mailer: Microsoft Windows Live Mail 15.4.3555.308
This is what something like an "undisclosed recipients" looks like.
Imo, this rule scored with 3.5 should be purged. It's a waste of cycles
Re: TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 7/30/2014 10:03 AM, Axb wrote:
>> Well I show zero hits and so does your masscheck. I'd like to get a
>> sample to work on a reverse check that identifies Good messages.
>
> even more patchwork? I don't like overworked metas with tons of
> cycle/memory chewing dependencies.
You already solved the issue for your system with the custom score. I
was just trying to future proof for others who aren't as processor
dependent, no worries.
Re: TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Posted by Axb <ax...@gmail.com>.
On 07/30/2014 03:41 PM, Kevin A. McGrail wrote:
> On 7/30/2014 9:19 AM, Axb wrote:
>> On 07/30/2014 02:57 PM, Kevin A. McGrail wrote:
>>> Hmm,
>>>
>>> Spotchecking Ruleqa doesn't show this misfiring at all:
>>>
>>> http://ruleqa.spamassassin.org/20140729-r1614286-n/TO_NO_BRKTS_MSFT/detail
>>>
>>>
>>> I have also got zero hits in my ham corpora.
>>>
>>> Suggest adding hit to your ham corpora and we check on it tomorrow.
>>
>> I don't have the original mails.
>>
>> Obviosuly spam corpus have tons of it and ham corpus just doesn't
>> contain enough of this kind of mail.
>>
>> the score on that rule is "limited" to 3.5 which seems somewhat high
>> for a "limit"
>>
>> score TO_NO_BRKTS_MSFT 3.50 # limit
>>
>> downscored to 0.5 on my setup... moving on.
>
> Well I show zero hits and so does your masscheck. I'd like to get a
> sample to work on a reverse check that identifies Good messages.
even more patchwork? I don't like overworked metas with tons of
cycle/memory chewing dependencies.
Re: TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Posted by Axb <ax...@gmail.com>.
On 07/30/2014 05:05 PM, Kevin A. McGrail wrote:
> On 7/30/2014 10:58 AM, Axb wrote:
>> On 07/30/2014 04:52 PM, Kevin A. McGrail wrote:
>>> On 7/30/2014 10:50 AM, Axb wrote:
>>>> The concept of this rule just tells me that it's wrong..
>>>>
>>>> meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R &&
>>>> !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
>>>>
>>>> welcome to 2014
>>>>
>>>> "X-Mailer: Microsoft Windows Live Mail"
>>>>
>>>> where is the exception for that? .-)
>>>>
>>>> and if you add it so what? even more bloat...
>>> But the real-world S/O shows it is a spammy indicator. When we can, we
>>> need to pastebin a sample to discuss this effectively.
>>
>> with a LIMIT of 3.5 ????
>>
>>
>> header RCVD_HOTMAIL Received =~ /\.hotmail\.com/
>>
>> also a sign of spamminess in our corpus
>> may I submit and limit 3.5?
>> You'd nuke instantly and call me all sorta names...
>> scr :)
>
> Perhaps but my general rule is I look for a rule to have a hit of 1 to 1.5.
>
> A meta rule combines other rules and can therefore be combined to have a
> higher ceiling score.
>
> Additionally, I am not anti-poison pills because I don't block email
> using RBLs or Spam Scores so I have promoted some very high scoring
> rules. KAM.cf is evidence of that.
>
> In the end, you are asking us to change the score of a rule without a
> spample and with no evidence in ruleqa that it's warranted.
>
> To synopsize: This appears to be an effective rule at blocking spam with
> at least one theoretical FP and tweaking it is my recommended course of
> action.
I love poison pill rules.. but this rule doesn't qualify. It's suicidal :)
Obviously our ham corpus is not good enough and I can hardly ask my
client to supply 2 msgs which will make zero difference if the score is
forced limit of 3.5
Re: TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 7/30/2014 10:58 AM, Axb wrote:
> On 07/30/2014 04:52 PM, Kevin A. McGrail wrote:
>> On 7/30/2014 10:50 AM, Axb wrote:
>>> The concept of this rule just tells me that it's wrong..
>>>
>>> meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R &&
>>> !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
>>>
>>> welcome to 2014
>>>
>>> "X-Mailer: Microsoft Windows Live Mail"
>>>
>>> where is the exception for that? .-)
>>>
>>> and if you add it so what? even more bloat...
>> But the real-world S/O shows it is a spammy indicator. When we can, we
>> need to pastebin a sample to discuss this effectively.
>
> with a LIMIT of 3.5 ????
>
>
> header RCVD_HOTMAIL Received =~ /\.hotmail\.com/
>
> also a sign of spamminess in our corpus
> may I submit and limit 3.5?
> You'd nuke instantly and call me all sorta names...
> scr :)
Perhaps but my general rule is I look for a rule to have a hit of 1 to 1.5.
A meta rule combines other rules and can therefore be combined to have a
higher ceiling score.
Additionally, I am not anti-poison pills because I don't block email
using RBLs or Spam Scores so I have promoted some very high scoring
rules. KAM.cf is evidence of that.
In the end, you are asking us to change the score of a rule without a
spample and with no evidence in ruleqa that it's warranted.
To synopsize: This appears to be an effective rule at blocking spam with
at least one theoretical FP and tweaking it is my recommended course of
action.
Re: TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Posted by Axb <ax...@gmail.com>.
On 07/30/2014 04:52 PM, Kevin A. McGrail wrote:
> On 7/30/2014 10:50 AM, Axb wrote:
>> The concept of this rule just tells me that it's wrong..
>>
>> meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R &&
>> !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
>>
>> welcome to 2014
>>
>> "X-Mailer: Microsoft Windows Live Mail"
>>
>> where is the exception for that? .-)
>>
>> and if you add it so what? even more bloat...
> But the real-world S/O shows it is a spammy indicator. When we can, we
> need to pastebin a sample to discuss this effectively.
with a LIMIT of 3.5 ????
header RCVD_HOTMAIL Received =~ /\.hotmail\.com/
also a sign of spamminess in our corpus
may I submit and limit 3.5?
You'd nuke instantly and call me all sorta names...
scr :)
Re: TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 7/30/2014 10:50 AM, Axb wrote:
> The concept of this rule just tells me that it's wrong..
>
> meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R &&
> !__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
>
> welcome to 2014
>
> "X-Mailer: Microsoft Windows Live Mail"
>
> where is the exception for that? .-)
>
> and if you add it so what? even more bloat...
But the real-world S/O shows it is a spammy indicator. When we can, we
need to pastebin a sample to discuss this effectively.
Re: TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Posted by John Hardin <jh...@impsec.org>.
On Wed, 30 Jul 2014, Axb wrote:
> The concept of this rule just tells me that it's wrong..
>
> meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R && !__TO_UNDISCLOSED &&
> (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
As I said, it's based on the assumption that MSFT codes to standards, i.e.
their tools *will* put a space between the name part and the address part,
where spammers are sloppy.
If that assumption no longer holds true (or, no longer holds true in the
majority of cases) then the rule should either have its limit reduced (as
I've done) or is no longer useful. Masscheck results seem to indicate it
*does* still have value.
> welcome to 2014
>
> "X-Mailer: Microsoft Windows Live Mail"
>
> where is the exception for that? .-)
>
> and if you add it so what? even more bloat...
I'm not too worried about adding metas, they are dirt cheap compared to
regular expressions.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
-----------------------------------------------------------------------
6 days until the 279th anniversary of John Peter Zenger's acquittal
Re: TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Posted by Axb <ax...@gmail.com>.
The concept of this rule just tells me that it's wrong..
meta __TO_NO_BRKTS_MSFT __TO_NO_ARROWS_R &&
!__TO_UNDISCLOSED && (__ANY_OUTLOOK_MUA || __MIMEOLE_MS)
welcome to 2014
"X-Mailer: Microsoft Windows Live Mail"
where is the exception for that? .-)
and if you add it so what? even more bloat...
Re: TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 7/30/2014 9:19 AM, Axb wrote:
> On 07/30/2014 02:57 PM, Kevin A. McGrail wrote:
>> Hmm,
>>
>> Spotchecking Ruleqa doesn't show this misfiring at all:
>>
>> http://ruleqa.spamassassin.org/20140729-r1614286-n/TO_NO_BRKTS_MSFT/detail
>>
>>
>> I have also got zero hits in my ham corpora.
>>
>> Suggest adding hit to your ham corpora and we check on it tomorrow.
>
> I don't have the original mails.
>
> Obviosuly spam corpus have tons of it and ham corpus just doesn't
> contain enough of this kind of mail.
>
> the score on that rule is "limited" to 3.5 which seems somewhat high
> for a "limit"
>
> score TO_NO_BRKTS_MSFT 3.50 # limit
>
> downscored to 0.5 on my setup... moving on.
Well I show zero hits and so does your masscheck. I'd like to get a
sample to work on a reverse check that identifies Good messages.
Re: TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Posted by Axb <ax...@gmail.com>.
On 07/30/2014 02:57 PM, Kevin A. McGrail wrote:
> Hmm,
>
> Spotchecking Ruleqa doesn't show this misfiring at all:
>
> http://ruleqa.spamassassin.org/20140729-r1614286-n/TO_NO_BRKTS_MSFT/detail
>
> I have also got zero hits in my ham corpora.
>
> Suggest adding hit to your ham corpora and we check on it tomorrow.
I don't have the original mails.
Obviosuly spam corpus have tons of it and ham corpus just doesn't
contain enough of this kind of mail.
the score on that rule is "limited" to 3.5 which seems somewhat high for
a "limit"
score TO_NO_BRKTS_MSFT 3.50 # limit
downscored to 0.5 on my setup... moving on.
Re: TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
Hmm,
Spotchecking Ruleqa doesn't show this misfiring at all:
http://ruleqa.spamassassin.org/20140729-r1614286-n/TO_NO_BRKTS_MSFT/detail
I have also got zero hits in my ham corpora.
Suggest adding hit to your ham corpora and we check on it tomorrow.
Regards,
KAM
Re: TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Posted by Axb <ax...@gmail.com>.
On 07/30/2014 05:17 PM, John Hardin wrote:
> On Wed, 30 Jul 2014, Axb wrote:
>
>> Received: from DUB004-OMC4S34.hotmail.com (dub004-omc4s34.hotmail.com
>> [157.55.2.109])
>> X-Mailer: Microsoft Windows Live Mail 15.4.3555.308
>>
>> This is what something like an "undisclosed recipients" looks like.
>
> Do you have a sample of the headers, especially the To:? This rule is
> supposed to exclude "undisclosed recipients" messages.
>
>> Imo, this rule scored with 3.5 should be purged. It's a waste of cycles
>
> The rule is based on the assumption that MSFT can code to standards,
> which I will admit is a shaky basis for analysis.
shaky is putting it mildly...
> I will reduce the limit.
I've added wipe_tonobrktsmsft.cf to my sandbox to see how much of the
hits are not hotmail
Re: TO_NO_BRKTS_MSFT hits on legit hotmail msgs
Posted by John Hardin <jh...@impsec.org>.
On Wed, 30 Jul 2014, Axb wrote:
> Received: from DUB004-OMC4S34.hotmail.com (dub004-omc4s34.hotmail.com
> [157.55.2.109])
> X-Mailer: Microsoft Windows Live Mail 15.4.3555.308
>
> This is what something like an "undisclosed recipients" looks like.
Do you have a sample of the headers, especially the To:? This rule is
supposed to exclude "undisclosed recipients" messages.
> Imo, this rule scored with 3.5 should be purged. It's a waste of cycles
The rule is based on the assumption that MSFT can code to standards, which
I will admit is a shaky basis for analysis.
I will reduce the limit.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
-----------------------------------------------------------------------
6 days until the 279th anniversary of John Peter Zenger's acquittal