Mailing List Archive

No rule for fake payPal messages?
I just got this little wonder, and was surprised that it got thru as ham.

From: "PayPal Billing" <douglescostamicheael@gmail.com>

I've fixed that locally, but I'd think SA ought to have a rule for "PayPal"
that doesn't come from paypal.
Re: No rule for fake payPal messages? [ In reply to ]
On 19 Mar 2021, at 17:11, Loren Wilton <lwilton@earthlink.net> wrote:
> I just got this little wonder, and was surprised that it got thru as ham.
>
> From: "PayPal Billing" <douglescostamicheael@gmail.com>
>
> I've fixed that locally, but I'd think SA ought to have a rule for "PayPal" that doesn't come from paypal.

It does, but it looks at the from email address.


--
When this kiss is over it will start again But not be any different
could be exactly the same It's hard to imagine that nothing at
all Could be so exciting, could be this much fun
Re: No rule for fake payPal messages? [ In reply to ]
On 2021-03-20 11:19, @lbutlr wrote:
> On 19 Mar 2021, at 17:11, Loren Wilton <lwilton@earthlink.net> wrote:
>> I just got this little wonder, and was surprised that it got thru as
>> ham.
>>
>> From: "PayPal Billing" <douglescostamicheael@gmail.com>
>>
>> I've fixed that locally, but I'd think SA ought to have a rule for
>> "PayPal" that doesn't come from paypal.
>
> It does, but it looks at the from email address.

maybe dkim blacklist freemail adresses, and then dkim whitelist payments
?

score FREEMAIL 10
whitelist_from_dkim *@paypal.com
score USER_IN_DKIM_WELCOMELIST -10

sorry not tested, but it might work

fail would be

whitelist_from_dkim *@gmail.com
Re: No rule for fake payPal messages? [ In reply to ]
Loren, are you using the KAM ruleset? See mcgrail.com under projects and
you can add the channel. Happy to look at spamples too for something like
that but I haven't seen a fake paypal in a while likely because of the
rules.

Would be worth looking at how it got through. Perhaps badly trained
Bayesian learning, for example?

Regards,
KAM

Regards,
KAM
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Fri, Mar 19, 2021 at 7:11 PM Loren Wilton <lwilton@earthlink.net> wrote:

> I just got this little wonder, and was surprised that it got thru as ham.
>
> From: "PayPal Billing" <douglescostamicheael@gmail.com>
>
> I've fixed that locally, but I'd think SA ought to have a rule for
> "PayPal"
> that doesn't come from paypal.
>
>
>
Re: No rule for fake payPal messages? [ In reply to ]
On Sat, 20 Mar 2021 11:11:03 -0400
Kevin A. McGrail wrote:


> Would be worth looking at how it got through. Perhaps badly trained
> Bayesian learning, for example?

If it's done well it can look like a hybrid of a real paypal email and
a routine gmail email and Bayes isn't capable of spotting the
incongruity. It isn't necessarily a sign of mistraining if some of these
hit BAYES_00.
Re: No rule for fake payPal messages? [ In reply to ]
Fair enough. :-) I mean when it gives it negative scoring though.
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Sat, Mar 20, 2021 at 11:35 AM RW <rwmaillists@googlemail.com> wrote:

> On Sat, 20 Mar 2021 11:11:03 -0400
> Kevin A. McGrail wrote:
>
>
> > Would be worth looking at how it got through. Perhaps badly trained
> > Bayesian learning, for example?
>
> If it's done well it can look like a hybrid of a real paypal email and
> a routine gmail email and Bayes isn't capable of spotting the
> incongruity. It isn't necessarily a sign of mistraining if some of these
> hit BAYES_00.
>