My cellular supplier has a weekly bag of goodies (coupons, schwag) and last
week's included a free photo refrigerator magnet from CVS. So I signed up a
CVS/Kodak account to put in my order. Like most such offers, they start
sending me marketing mail, and the first one hit KAM_SOMETLD_ARE_BAD_TLD,
with a 5.0 score. I'll be turning that score down (probably to 3.5) but I
think the rule itself is the issue. It's firing on a uri that has dot shop
as the last part of the path in a legitimate dotcom uri. Perhaps the rule
can check for the absence of a single slash before the offending TLD.
There's a helper rule that checks for false positives that could be
replaced with one that ignores TLDs after an isolated slash in a uri.
Do the KAM rules have an issue tracker where this kind of report can be
made?
The rule:
header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~
/\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|b
uri __KAM_SOMETLD_ARE_BAD_TLD_URI
/\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)($|\/)/i
#FPs
uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE
/(^|\b)td\.date|div\.top($|\/)/i
meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) ||
(__KAM_SOMETLD_ARE_BAD_TLD_URI && !__KAM_SOMETLD_ARE_BAD_TLD
describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top,
.press, .guru, .casa, .online, .cam, .shop, .bar, .club & .d
score KAM_SOMETLD_ARE_BAD_TLD 5.0
week's included a free photo refrigerator magnet from CVS. So I signed up a
CVS/Kodak account to put in my order. Like most such offers, they start
sending me marketing mail, and the first one hit KAM_SOMETLD_ARE_BAD_TLD,
with a 5.0 score. I'll be turning that score down (probably to 3.5) but I
think the rule itself is the issue. It's firing on a uri that has dot shop
as the last part of the path in a legitimate dotcom uri. Perhaps the rule
can check for the absence of a single slash before the offending TLD.
There's a helper rule that checks for false positives that could be
replaced with one that ignores TLDs after an isolated slash in a uri.
Do the KAM rules have an issue tracker where this kind of report can be
made?
The rule:
header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~
/\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|b
uri __KAM_SOMETLD_ARE_BAD_TLD_URI
/\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)($|\/)/i
#FPs
uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE
/(^|\b)td\.date|div\.top($|\/)/i
meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) ||
(__KAM_SOMETLD_ARE_BAD_TLD_URI && !__KAM_SOMETLD_ARE_BAD_TLD
describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top,
.press, .guru, .casa, .online, .cam, .shop, .bar, .club & .d
score KAM_SOMETLD_ARE_BAD_TLD 5.0