You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by John Rudd <jr...@ucsc.edu> on 2007/11/24 00:15:23 UTC
Bad rule description (for a rule with false positives)
Ever since upgrading in the last 2 months, I've been getting a lot more
false positive complaints, and one of the most frequent rules to show up
in my false positives is:
2.8 BASE64_LENGTH_79_INF BODY: BASE64_LENGTH_79_INF
That rule description is COMPLETELY useless.
So, here are my questions:
1) what is this rule actually doing?
2) anyone have an analysis that says that I'll suddenly be letting
through a ton of spam if I lower the score a lot? (I'm actually
thinking about setting it to 0, but I'd entertain something like .5)
Re: Bad rule description (for a rule with false positives)
Posted by John Rudd <jr...@ucsc.edu>.
Daryl C. W. O'Shea wrote:
> On 11/23/2007 6:15 PM, John Rudd wrote:
>>
>> Ever since upgrading in the last 2 months, I've been getting a lot
>> more false positive complaints, and one of the most frequent rules to
>> show up in my false positives is:
>>
>>
>> 2.8 BASE64_LENGTH_79_INF BODY: BASE64_LENGTH_79_INF
>>
>>
>> That rule description is COMPLETELY useless.
>
> I'd COMPLETELY disagree.
>
> Although to be pedantic, the rule doesn't have a description defined.
> It's simply just the rule type and name concatenated automatically in
> lieu of there being a description for it.
>
>> So, here are my questions:
>>
>> 1) what is this rule actually doing?
>
> I've never seen the rule before, but I'd be extremely surprised if it
> doesn't detect BASE64 lines longer than 78 characters (79 to infinity).
Seems like they ought to have put that in the desc:
Detect Base64 lines of 79 or more characters.
>
>> 2) anyone have an analysis that says that I'll suddenly be letting
>> through a ton of spam if I lower the score a lot? (I'm actually
>> thinking about setting it to 0, but I'd entertain something like .5)
>
> Drop it. At 0.0596% of 438k messages it doesn't even meet our
> promotion criteria anymore.
Thanks!
Re: Bad rule description (for a rule with false positives)
Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.
On 11/23/2007 6:15 PM, John Rudd wrote:
>
> Ever since upgrading in the last 2 months, I've been getting a lot more
> false positive complaints, and one of the most frequent rules to show up
> in my false positives is:
>
>
> 2.8 BASE64_LENGTH_79_INF BODY: BASE64_LENGTH_79_INF
>
>
> That rule description is COMPLETELY useless.
I'd COMPLETELY disagree.
Although to be pedantic, the rule doesn't have a description defined.
It's simply just the rule type and name concatenated automatically in
lieu of there being a description for it.
> So, here are my questions:
>
> 1) what is this rule actually doing?
I've never seen the rule before, but I'd be extremely surprised if it
doesn't detect BASE64 lines longer than 78 characters (79 to infinity).
> 2) anyone have an analysis that says that I'll suddenly be letting
> through a ton of spam if I lower the score a lot? (I'm actually
> thinking about setting it to 0, but I'd entertain something like .5)
Drop it. At 0.0596% of 438k messages it doesn't even meet our
promotion criteria anymore.
Daryl
Re: Bad rule description (for a rule with false positives)
Posted by Loren Wilton <lw...@earthlink.net>.
> 2.8 BASE64_LENGTH_79_INF BODY: BASE64_LENGTH_79_INF
>
> That rule description is COMPLETELY useless.
Just from the name, I'd say it is checking for a base64 encoded line that is
longer than 78 characters. As a general rule only bad ratware tends to make
those in any quantity.
Loren