You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Daniel McDonald <da...@austinenergy.com> on 2013/06/06 21:14:15 UTC
FP on SPOOF_COM2OTH (and potentially SPOOF_COM2COM)
I had a recent FP message that hit noth the SPOOF_COM2OTH and SPOOF_COM2COM
rules. I don¹t think COM2OTH is appropriate:
Jun 6 13:55:49.469 [26386] dbg: rules: ran uri rule SPOOF_COM2OTH ======>
got hit: "http://www<DOT>MUNGED<DOT>com<DOT>temp.<DOT>livebooks."
Jun 6 13:55:49.469 [26386] dbg: rules: ran uri rule SPOOF_COM2COM ======>
got hit: "http://www<DOT>MUNGED<DOT>com<DOT>temp<DOT>livebooks<DOT>com"
A scan of the message shows that these two rules are hitting the same line.
A quick check of my logs show 100% overlap in one direction:
[mcdonalddj@sa ~]$ sudo grep SPOOF_COM2OTH /var/log/mail/info.log | grep -vc
SPOOF_COM2COM
0
[mcdonalddj@sa ~]$ sudo grep SPOOF_COM2OTH /var/log/mail/info.log | grep -c
SPOOF_COM2COM
26
[mcdonalddj@sa ~]$ sudo grep SPOOF_COM2COM /var/log/mail/info.log | grep -vc
SPOOF_COM2OTH
13
I¹ll be disabling SPOOF_COM2OTH for now, but thought someone might want to
look into it. I also see a single exception of s3.amazonaws.com from the
rule. I might add livebooks to that list locally.
--
Daniel J McDonald, CCIE # 2495, CISSP # 78281