Mailing List Archive

URI TRY 3LD FP on mynews.apple.com
Hey, John et al. It's been a while. I hope things are going well.

I've found an FP on URI_TRY_3LD from
https://mynews.apple.com/subscriptions?… that you could solve by adding
a new alternation to the relevant negative lookahead in that regex:

-uri URI_TRY_3LD
m,^https?://(?:try|start|get(?!.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!sub|turbotax)w)[^.]*.[^/]+.(?:com|net)b,i
+uri URI_TRY_3LD
m,^https?://(?:try|start|get(?!.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!news.apple.|sub|turbotax)w)[^.]*.[^/]+.(?:com|net)b,i

However, with its hit freqs [1] show an S/O hovering around 0.100 and
with the GA consistently scoring it so close to your specified 2.000
limit, I doubt this tweak will help enough. I suggest further FP
mitigations and perhaps a lower score limit.

-Adam

Links:
------
[1]
https://ruleqa.spamassassin.org/20210401-r1888263-n/URI_TRY_3LD/detail
Re: URI_TRY_3LD FP on mynews.apple.com [ In reply to ]
On Fri, 02 Apr 2021 12:12:22 -0400
Adam Katz wrote:

> Hey, John et al. It's been a while. I hope things are going well.
>
> I've found an FP on URI_TRY_3LD from
> https://mynews.apple.com/subscriptions?… that you could solve by
> adding a new alternation to the relevant negative lookahead in that
> regex:
>
> -uri URI_TRY_3LD
> m,^https?://(?:try|start|get(?!.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!sub|turbotax)w)[^.]*.[^/]+.(?:com|net)b,i
> +uri URI_TRY_3LD
> m,^https?://(?:try|start|get(?!.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!news.apple.|sub|turbotax)w)[^.]*.[^/]+.(?:com|net)b,i
>
> However, with its hit freqs [1] show an S/O hovering around 0.100 and
> with the GA consistently scoring it so close to your specified 2.000
> limit, I doubt this tweak will help enough. I suggest further FP
> mitigations and perhaps a lower score limit.


I'd be inclined to to take out the 'my' variant altogether.
Re: URI_TRY_3LD FP on mynews.apple.com [ In reply to ]
On Fri, 2 Apr 2021, Adam Katz wrote:

> Hey, John et al. It's been a while. I hope things are going well.
>
> I've found an FP on URI_TRY_3LD from
> https://mynews.apple.com/subscriptions?… that you could solve by adding
> a new alternation to the relevant negative lookahead in that regex:
>
> -uri URI_TRY_3LD
> m,^https?://(?:try|start|get(?!.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!sub|turbotax)w)[^.]*.[^/]+.(?:com|net)b,i
> +uri URI_TRY_3LD
> m,^https?://(?:try|start|get(?!.adobe)|save|check(?!out)|act|compare|join|learn|request|visit(?!or)|my(?!news.apple.|sub|turbotax)w)[^.]*.[^/]+.(?:com|net)b,i
>
> However, with its hit freqs [1] show an S/O hovering around 0.100 and
> with the GA consistently scoring it so close to your specified 2.000
> limit, I doubt this tweak will help enough. I suggest further FP
> mitigations and perhaps a lower score limit.

I will take a look, thanks for the report.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
307 days since the first private commercial manned orbital mission (SpaceX)