I was surprised to see KAM_SOMETLD_ARE_BAD_TLD hit as a false
positive. The file was a DNS domain transfer file that someone
emailed as part of a security bug report.
To trigger the false positive include the following. In the real
world case this was in a dns zone file that was sent as an
attachment. But I find that simply having it in the mail message body
is sufficient.
foo IN A 127.0.0.1
I must obscure it here or it will trigger on the KAM rules. Change
the above foo to be the www DOT press in the obvious way that I am
trying to obscure it but still communicate it. Then it will hit on
the this rule.
5.0 KAM_SOMETLD_ARE_BAD_TLD ...
I downgraded the score to 0.01 so I could track it but it is obviously
too agressive of a test at a full 5 points if it is hitting on data
in attachments.
Enjoy! :-)
Bob
positive. The file was a DNS domain transfer file that someone
emailed as part of a security bug report.
To trigger the false positive include the following. In the real
world case this was in a dns zone file that was sent as an
attachment. But I find that simply having it in the mail message body
is sufficient.
foo IN A 127.0.0.1
I must obscure it here or it will trigger on the KAM rules. Change
the above foo to be the www DOT press in the obvious way that I am
trying to obscure it but still communicate it. Then it will hit on
the this rule.
5.0 KAM_SOMETLD_ARE_BAD_TLD ...
I downgraded the score to 0.01 so I could track it but it is obviously
too agressive of a test at a full 5 points if it is hitting on data
in attachments.
Enjoy! :-)
Bob