You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Daniel McDonald <da...@austinenergy.com> on 2013/06/06 21:14:15 UTC

FP on SPOOF_COM2OTH (and potentially SPOOF_COM2COM)

I had a recent FP message that hit noth the SPOOF_COM2OTH and SPOOF_COM2COM
rules.  I don¹t think COM2OTH is appropriate:
Jun  6 13:55:49.469 [26386] dbg: rules: ran uri rule SPOOF_COM2OTH ======>
got hit: "http://www<DOT>MUNGED<DOT>com<DOT>temp.<DOT>livebooks."
Jun  6 13:55:49.469 [26386] dbg: rules: ran uri rule SPOOF_COM2COM ======>
got hit: "http://www<DOT>MUNGED<DOT>com<DOT>temp<DOT>livebooks<DOT>com"

A scan of the message shows that these two rules are hitting the same line.

A quick check of my logs show 100% overlap in one direction:

[mcdonalddj@sa ~]$ sudo grep SPOOF_COM2OTH /var/log/mail/info.log | grep -vc
SPOOF_COM2COM
0
[mcdonalddj@sa ~]$ sudo grep SPOOF_COM2OTH /var/log/mail/info.log | grep -c
SPOOF_COM2COM
26
[mcdonalddj@sa ~]$ sudo grep SPOOF_COM2COM /var/log/mail/info.log | grep -vc
SPOOF_COM2OTH
13

I¹ll be disabling SPOOF_COM2OTH for now, but thought someone might want to
look into it.  I also see a single exception of s3.amazonaws.com from the
rule.  I might add livebooks to that list locally.


-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281