Mailing List Archive

KAM_SOMETLD_ARE_BAD_TLD false positive
I was surprised to see KAM_SOMETLD_ARE_BAD_TLD hit as a false
positive. The file was a DNS domain transfer file that someone
emailed as part of a security bug report.

To trigger the false positive include the following. In the real
world case this was in a dns zone file that was sent as an
attachment. But I find that simply having it in the mail message body
is sufficient.

foo IN A 127.0.0.1

I must obscure it here or it will trigger on the KAM rules. Change
the above foo to be the www DOT press in the obvious way that I am
trying to obscure it but still communicate it. Then it will hit on
the this rule.

5.0 KAM_SOMETLD_ARE_BAD_TLD ...

I downgraded the score to 0.01 so I could track it but it is obviously
too agressive of a test at a full 5 points if it is hitting on data
in attachments.

Enjoy! :-)
Bob
Re: KAM_SOMETLD_ARE_BAD_TLD false positive [ In reply to ]
Hi Kenneth, the ruleset is designed for a system scoring over 5.0.

Did the rule from the cell provider cause an fp?

Is your threshold higher than 5.0?

There is a way to report problems listed in the file but feel free to
contact me off list and I'll tell you how to send me a sample.

Regards, KAM

On Tue, Aug 10, 2021, 22:00 Kenneth Porter <shiva@sewingwitch.com> wrote:

> My cellular supplier has a weekly bag of goodies (coupons, schwag) and
> last
> week's included a free photo refrigerator magnet from CVS. So I signed up
> a
> CVS/Kodak account to put in my order. Like most such offers, they start
> sending me marketing mail, and the first one hit KAM_SOMETLD_ARE_BAD_TLD,
> with a 5.0 score. I'll be turning that score down (probably to 3.5) but I
> think the rule itself is the issue. It's firing on a uri that has dot shop
> as the last part of the path in a legitimate dotcom uri. Perhaps the rule
> can check for the absence of a single slash before the offending TLD.
> There's a helper rule that checks for false positives that could be
> replaced with one that ignores TLDs after an isolated slash in a uri.
>
> Do the KAM rules have an issue tracker where this kind of report can be
> made?
>
> The rule:
>
> header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~
> /\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|b
> uri __KAM_SOMETLD_ARE_BAD_TLD_URI
>
> /\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)($|\/)/i
>
> #FPs
> uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE
> /(^|\b)td\.date|div\.top($|\/)/i
>
> meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) ||
> (__KAM_SOMETLD_ARE_BAD_TLD_URI && !__KAM_SOMETLD_ARE_BAD_TLD
> describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top,
> .press, .guru, .casa, .online, .cam, .shop, .bar, .club & .d
> score KAM_SOMETLD_ARE_BAD_TLD 5.0
>
>
Re: KAM_SOMETLD_ARE_BAD_TLD false positive [ In reply to ]
--On Wednesday, August 11, 2021 12:29 AM -0400 "Kevin A. McGrail"
<kmcgrail@apache.org> wrote:

> Hi Kenneth, the ruleset is designed for a system scoring over 5.0.
>
> Did the rule from the cell provider cause an fp?
>
> Is your threshold higher than 5.0?

I use the stock threshold of 5.0. I'm using the ruleset via the channel
distribution on a CentOS (RHEL) 7 system.

> There is a way to report problems listed in the file but feel free to
> contact me off list and I'll tell you how to send me a sample.

Thanks, now that I know where to look, I submitted the sample with your web
form.

Perhaps you could echo the support information to the main KAM web page?
That's where I looked because that's where I found the channel information.

<https://mcgrail.com/newsmanager/news_article.cgi?&template=news.template&news_id=11&article_template=news_mcgrail_article_style>

That's what I found from following the link here:

<https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CustomRulesets>