Mailing List Archive

FSL_BULK_SIG in 72_active.cf
Got a remote sender sending some pictures of property damage to be
fixed.  It's all images.  The only text is:
Sent from Yahoo Mail for iPhone <https://overview.mail.yahoo.com/?.src=iOS>

It hits Pyzor for some reason.  Get a PYZOR_CHECK=1.985.  Must've picked
the wrong checksum, chief!

However, his messages also hit: FSL_BULK_SIG=2.623.  That's a meta in
72_active.cf that looks ilke this:

meta     FSL_BULK_SIG          (DCC_CHECK || RAZOR2_CHECK ||
PYZOR_CHECK) && !__FSL_HAS_LIST_UNSUB && !__UNSUB_LINK &&
!__RCVD_IN_DNSWL && !__JM_REACTOR_DATE && !__RCD_RDNS_SMTP_MESSY

DCC_CHECK = 0
RAZOR2_CHECK = 0
PYZOR_CHECK = 1

__FSL_HAS_LIST_UNSUB = 0
__UNSUB_LINK = 0
__RCVD_IN_DNSWL = 0
__JM_REACTOR_DATE = 0
__RCD_RDNS_SMTP_MESSY = 0

It does not appear that the actual rule matches the spirit of the rule.

Thoughts?

-- Jared Hall
Re: FSL_BULK_SIG in 72_active.cf [ In reply to ]
> It hits Pyzor for some reason.  Get a PYZOR_CHECK=1.985.  Must've
> picked the wrong checksum, chief!
>
> It does not appear that the actual rule matches the spirit of the rule.
>
Jared, looks to me like an FP in Pyzor.

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: FSL_BULK_SIG in 72_active.cf [ In reply to ]
On 9/23/2021 10:07 PM, Kevin A. McGrail wrote:
> Jared, looks to me like an FP in Pyzor.
>
No doubt.  The 4.608 points for a single aberration seems reasonable.

-- Jared Hall
Re: FSL_BULK_SIG in 72_active.cf [ In reply to ]
On Thu, Sep 23, 2021 at 04:24:38PM -0400, Jared Hall wrote:
> Got a remote sender sending some pictures of property damage to be fixed.? It's
> all images.? The only text is:
> Sent from Yahoo Mail for iPhone
>
> It hits Pyzor for some reason.? Get a PYZOR_CHECK=1.985.? Must've picked the
> wrong checksum, chief!

It only cares about the body, and that body has probably been reported
million times.

pyzor local_whitelist < message

pyzor digest < message
https://app.pyzor.org/whitelist/
Re: FSL_BULK_SIG in 72_active.cf [ In reply to ]
I don't think it's reasonable but an FP in Pyzor is leading to other
rule hits.

Was the overall email marked as spam?

On 9/24/2021 12:21 AM, Jared Hall wrote:
> On 9/23/2021 10:07 PM, Kevin A. McGrail wrote:
>> Jared, looks to me like an FP in Pyzor.
>>
> No doubt.  The 4.608 points for a single aberration seems reasonable.
>
> -- Jared Hall
>
--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: FSL_BULK_SIG in 72_active.cf [ In reply to ]
>>It hits Pyzor for some reason.? Get a PYZOR_CHECK=1.985.? Must've
>>picked the wrong checksum, chief!
>>
>>It does not appear that the actual rule matches the spirit of the rule.

On 23.09.21 22:07, Kevin A. McGrail wrote:
>Jared, looks to me like an FP in Pyzor.

RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
attachments. (Haven't done stats tho, I can look during workweek.)

Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
unsubscribe header.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
Re: FSL_BULK_SIG in 72_active.cf [ In reply to ]
On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:

>>> It hits Pyzor for some reason.? Get a PYZOR_CHECK=1.985.? Must've picked
>>> the wrong checksum, chief!
>>>
>>> It does not appear that the actual rule matches the spirit of the rule.
>
> On 23.09.21 22:07, Kevin A. McGrail wrote:
>> Jared, looks to me like an FP in Pyzor.
>
> RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
> attachments. (Haven't done stats tho, I can look during workweek.)
>
> Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
> unsubscribe header.

Perhaps it needs a short-message exclusion?

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control laws aren't enacted to control guns, they are enacted
to control people: catholics (1500s), japanese peasants (1600s),
blacks (1860s), italian immigrants (1911), armenians (1911),
the irish (1920s), jews (1930s), blacks (1960s), the poor (always)
-----------------------------------------------------------------------
4 days until the 80th anniversary of the massacre at Babi Yar
Disarmament enables genocide - Registration enables disarmament
Re: FSL_BULK_SIG in 72_active.cf [ In reply to ]
>>>>It hits Pyzor for some reason.? Get a PYZOR_CHECK=1.985.?
>>>>Must've picked the wrong checksum, chief!
>>>>
>>>>It does not appear that the actual rule matches the spirit of the rule.

>>On 23.09.21 22:07, Kevin A. McGrail wrote:
>>>Jared, looks to me like an FP in Pyzor.

>On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
>>attachments. (Haven't done stats tho, I can look during workweek.)
>>
>>Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
>>unsubscribe header.

On 25.09.21 13:19, John Hardin wrote:
>Perhaps it needs a short-message exclusion?

short messages with attachments.
if you have an idea how, I'll be glad to try.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Re: FSL_BULK_SIG in 72_active.cf [ In reply to ]
On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:

>>>>> It hits Pyzor for some reason.? Get a PYZOR_CHECK=1.985.? Must've picked
>>>>> the wrong checksum, chief!
>>>>>
>>>>> It does not appear that the actual rule matches the spirit of the rule.
>
>>> On 23.09.21 22:07, Kevin A. McGrail wrote:
>>>> Jared, looks to me like an FP in Pyzor.
>
>> On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>> RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
>>> attachments. (Haven't done stats tho, I can look during workweek.)
>>>
>>> Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
>>> unsubscribe header.
>
> On 25.09.21 13:19, John Hardin wrote:
>> Perhaps it needs a short-message exclusion?
>
> short messages with attachments. if you have an idea how, I'll be glad to
> try.

I've done some masscheck review and tuning of it, added avoidance of hits
on very short messages.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
But if there is no such inalienable right [to self defense], the
entire nature of the social contract is changed. Each man?s worth
is measured solely by his utility to the state, and as such the
value of his life rides a roller coaster not unlike the stock
market: dependent not only upon the preferences of the party in
power but upon the whims of its political leaders and the
permanent bureaucratic class. -- Mike McDaniel
-----------------------------------------------------------------------
4 days until the 80th anniversary of the massacre at Babi Yar
Disarmament enables genocide - Registration enables disarmament
Re: FSL_BULK_SIG in 72_active.cf [ In reply to ]
>>>>>>It hits Pyzor for some reason.? Get a PYZOR_CHECK=1.985.?
>>>>>>Must've picked the wrong checksum, chief!
>>>>>>
>>>>>>It does not appear that the actual rule matches the spirit of the rule.

>>>>On 23.09.21 22:07, Kevin A. McGrail wrote:
>>>>>Jared, looks to me like an FP in Pyzor.

>>>On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>>>RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
>>>>attachments. (Haven't done stats tho, I can look during workweek.)
>>>>
>>>>Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
>>>>unsubscribe header.

>>On 25.09.21 13:19, John Hardin wrote:
>>>Perhaps it needs a short-message exclusion?

>On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>short messages with attachments. if you have an idea how, I'll be
>>glad to try.

On 25.09.21 15:04, John Hardin wrote:
>I've done some masscheck review and tuning of it, added avoidance of
>hits on very short messages.

I'm afraid it did not help.
It seems that PYZOR_CHECK and DCC_CHECK hit on such mail often and
FSL_BULK_SIG pushes such mail easily over default spam score.

I just analyze a few samples, a few also hit GMD_PDF_EMPTY_BODY
with sa -D, many of them hit __HTML_LENGTH_1024_1536
(damn microsoft! 1k of "empty" message).

OK, I will work around locally.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
Re: FSL_BULK_SIG in 72_active.cf [ In reply to ]
On Tue, 5 Oct 2021, Matus UHLAR - fantomas wrote:

>>>>>>> It hits Pyzor for some reason.? Get a PYZOR_CHECK=1.985.? Must've
>>>>>>> picked the wrong checksum, chief!
>>>>>>>
>>>>>>> It does not appear that the actual rule matches the spirit of the
>>>>>>> rule.
>
>>>>> On 23.09.21 22:07, Kevin A. McGrail wrote:
>>>>>> Jared, looks to me like an FP in Pyzor.
>
>>>> On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>>>> RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
>>>>> attachments. (Haven't done stats tho, I can look during workweek.)
>>>>>
>>>>> Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
>>>>> unsubscribe header.
>
>>> On 25.09.21 13:19, John Hardin wrote:
>>>> Perhaps it needs a short-message exclusion?
>
>> On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
>>> short messages with attachments. if you have an idea how, I'll be glad to
>>> try.
>
> On 25.09.21 15:04, John Hardin wrote:
>> I've done some masscheck review and tuning of it, added avoidance of hits
>> on very short messages.
>
> I'm afraid it did not help.
> It seems that PYZOR_CHECK and DCC_CHECK hit on such mail often and
> FSL_BULK_SIG pushes such mail easily over default spam score.
>
> I just analyze a few samples, a few also hit GMD_PDF_EMPTY_BODY with sa -D,
> many of them hit __HTML_LENGTH_1024_1536
> (damn microsoft! 1k of "empty" message).
>
> OK, I will work around locally.

I noticed the PDF attachment hit in masschecks, but presumed (since the
attachments were images) that it wasn't germane to the OP's problem. I
should have added an exclusion for that as well. I will later today,
work is booting up... :)

I'd be interested in the rule hits if you're willing to share.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
493 days since the first private commercial manned orbital mission (SpaceX)