Mailing List Archive

XM_RANDOM rule seems to hit too often
We for the last couples of days we see many hits of XM_RANDOM rule on
legit mail. Samples of X-Mailers it hits


> *X-Mailer:* AspQMail 2.0 4.03 (QSM260971F)
> X-Mailer: WebService/1.1.18138 YahooMailAndroidMobile YMobile/1.0
(com.yahoo.mobile.client.android
<http://com.yahoo.mobile.client.android/>.mail/6.27.0; Android/11;
RP1A.200720.012; a52xq; samsung; SM-A526B; 5.99; 2186x1080;) >
*X-Mailer:* WebService/1.1.18121 YahooMailAndroidMobile YMobile/1.0
(com.yahoo.mobile.client.android.mail/6.10.5; Android/10;
QP1A.190711.020; starlte; samsung; SM-G960F; 5.68; 1450x720;)
> *X-Mailer:* Traveler 11.0.2.0 Build 202010261910_30 on server
DETR02/SRV/BAUHAUS/DE at
20210418173104417 by DelQ-18bc[NoticeMgr]

especially the AspQMail (hits on stuff within '()') and the yahoo mailer
are quite common in our message flow.
Think that rule should be revised


--
Cheers

tobi
Re: XM_RANDOM rule seems to hit too often [ In reply to ]
On Mon, 26 Apr 2021, jahlives@gmx.ch wrote:

> We for the last couples of days we see many hits of XM_RANDOM rule on
> legit mail. Samples of X-Mailers it hits
>
>
>> *X-Mailer:* AspQMail 2.0 4.03 (QSM260971F)
>> X-Mailer: WebService/1.1.18138 YahooMailAndroidMobile YMobile/1.0
> (com.yahoo.mobile.client.android
> <http://com.yahoo.mobile.client.android/>.mail/6.27.0; Android/11;
> RP1A.200720.012; a52xq; samsung; SM-A526B; 5.99; 2186x1080;) >
> *X-Mailer:* WebService/1.1.18121 YahooMailAndroidMobile YMobile/1.0
> (com.yahoo.mobile.client.android.mail/6.10.5; Android/10;
> QP1A.190711.020; starlte; samsung; SM-G960F; 5.68; 1450x720;)
>> *X-Mailer:* Traveler 11.0.2.0 Build 202010261910_30 on server
> DETR02/SRV/BAUHAUS/DE at
> 20210418173104417 by DelQ-18bc[NoticeMgr]
>
> especially the AspQMail (hits on stuff within '()') and the yahoo mailer
> are quite common in our message flow.
> Think that rule should be revised

Thanks for your report. I've added some exclusions and resuced the score
limit.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Rights can only ever be individual, which means that you cannot
gain a right by joining a mob, no matter how shiny the issued
badges are, or how many of your neighbors are part of it. -- Marko
-----------------------------------------------------------------------
5 days until May Day - Remember 110 million people murdered by Communism
Re: XM_RANDOM rule seems to hit too often [ In reply to ]
On Mon, 26 Apr 2021, John Hardin wrote:

> Thanks for your report. I've added some exclusions and resuced the score
> limit.

"reduced". The coffee hasn't reached my fingertips yet.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Rights can only ever be individual, which means that you cannot
gain a right by joining a mob, no matter how shiny the issued
badges are, or how many of your neighbors are part of it. -- Marko
-----------------------------------------------------------------------
5 days until May Day - Remember 110 million people murdered by Communism
Re: XM_RANDOM rule seems to hit too often [ In reply to ]
John,

found that the following does hit much better

> X-Mailer =~ /^[^\(]+q(?!q?mail|boxmail|\d|[-\w]*=+;)[^u]/i

to ensure that search is never found after '('

Now I get a coffee as well although is almost end-of-working-day coffee
here :-)

Cheers & have a good one

--

tobi