Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
false hits on FORM_FM
gdt at lexort
Feb 27, 2022, 5:58 AM
Post #1 of 2 (255 views)
Permalink
This morning i found a lot of ham in my maybe-spam inboxes (1-4 points).
I found that this rule was hitting:

* 4.0 FROM_FMBLA_NEWDOM From domain was registered in last 7 days

and the common pattern in the messages was that the From: addresses were
all @gmail.com. All of the messages were normal legit messages, some on
weewx-users list, and some were commit messages from pkgsrc-wip.

I had earlier upped the score of this rule as I found it to work very
well.

(Yes, I know that doesn't count as an FP under strict SA doctrine, esp
since I had upped the score. But it's still wrong for FROM_FMBLA_NEWDOM
to fire on gmail.com which is... not new.)

I reran SA on one message just now, and it scored normally, with no
FROM_FMBLA_NEWDOM hit.

This seems to be fresh.fmb.la as described:

https://fmb.la/pages/about


So I wonder if anybody else got a bunch of incorrect hits from fmb.la?
Re: false hits on FORM_FM [ In reply to ]
sausers-20150205 at billmail
Feb 27, 2022, 2:47 PM
Post #2 of 2 (255 views)
Permalink
On 2022-02-27 at 08:58:57 UTC-0500 (Sun, 27 Feb 2022 08:58:57 -0500)
Greg Troxel <gdt@lexort.com>
is rumored to have said:

> This morning i found a lot of ham in my maybe-spam inboxes (1-4
> points).
> I found that this rule was hitting:
>
> * 4.0 FROM_FMBLA_NEWDOM From domain was registered in last 7 days
>
> and the common pattern in the messages was that the From: addresses
> were
> all @gmail.com. All of the messages were normal legit messages, some
> on
> weewx-users list, and some were commit messages from pkgsrc-wip.

Odd.

Impossible to analyze without a concrete example, of course.

> I had earlier upped the score of this rule as I found it to work very
> well.

Yeah, don't do that. Rule scoring takes into account (programmatically)
the fact that most rules match a mix of ham and spam and specifically
that individual rules are "wrong" to some degree. Rules should not be
scored so as to stomp on the indicators of hamminess that also exist in
messages, unless there is something intrinsic to the rule that makes it
hyper-reliable. FROM_FMBLA_NEWDOM is not such a rule.

> (Yes, I know that doesn't count as an FP under strict SA doctrine, esp
> since I had upped the score. But it's still wrong for
> FROM_FMBLA_NEWDOM
> to fire on gmail.com which is... not new.)

Absent a concrete example that reproduces this, it is impossible to know
whether it was actually firing on the header address that you believe it
was. The ephemeral nature of that DNSBL's entries does not help.

>
> I reran SA on one message just now, and it scored normally, with no
> FROM_FMBLA_NEWDOM hit.
>
> This seems to be fresh.fmb.la as described:
>
> https://fmb.la/pages/about
>
>
> So I wonder if anybody else got a bunch of incorrect hits from fmb.la?

I see some hits on alerts from a Zabbix server this morning that uses a
very old sender domain. Same messages do not hit on the rule currently.
Likely a problem with the DNSBL.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal