Mailing List Archive

Just  a question about the scoring...
What does the 4 "3's" mean at the end of the score?
I would have written it like this:score LOCAL_BADLY_HTML 3.0


On Wednesday, August 23, 2023 at 08:24:39 AM CDT, Benny Pedersen <me@junc.eu> wrote:


# test for empty src="" or empty href=""
rawbody __HREF_EMPTY /href=\"\"/
rawbody __SRC_EMPTY /src=\"\"/

meta LOCAL_BADLY_HTML (__HREF_EMPTY || __SRC_EMPTY)
describe LOCAL_BADLY_HTML Meta: __HREF_EMPTY || __SRC_EMPTY
score LOCAL_BADLY_HTML 3 3 3 3

too much spams in hotmail

Denny Jones via users skrev den 2023-08-23 19:41:
> Just a question about the scoring...

+1

> What does the 4 "3's" mean at the end of the score?

if just one score is giving, its defaults to all score sets, but if 4 3
is defined, its basicly same on all score sets :)

i just lost what the score sets is

>
> I would have written it like this:
> score LOCAL_BADLY_HTML 3.0

spamassassin is opensource, so perfectly no problem

all those that reads help me improve it, i am unsure if i should anchor
it or not

Hello,

On Wed, Aug 23, 2023 at 03:24:22PM +0200, Benny Pedersen wrote:
> # test for empty src="" or empty href=""
> rawbody __HREF_EMPTY /href=\"\"/
> rawbody __SRC_EMPTY /src=\"\"/

I checked this against about 80k of my recent personal emails and it
matched quite a lot of previously not found spam, but did also match
on every auto response from one of my suppliers. It seems after
every customer service interaction they send a "how did we do? fill
in this survey" email from qualtrics.com which contains:

<v:fill type="tile" src="" color="#FFFFFF"/>

It wouldn't be much of a loss, but it's not spam either.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

On Wed, 23 Aug 2023, Andy Smith wrote:

> Hello,
>
> On Wed, Aug 23, 2023 at 03:24:22PM +0200, Benny Pedersen wrote:
>> # test for empty src="" or empty href=""
>> rawbody __HREF_EMPTY /href=\"\"/
>> rawbody __SRC_EMPTY /src=\"\"/
>
> I checked this against about 80k of my recent personal emails and it
> matched quite a lot of previously not found spam, but did also match
> on every auto response from one of my suppliers. It seems after
> every customer service interaction they send a "how did we do? fill
> in this survey" email from qualtrics.com which contains:
>
> <v:fill type="tile" src="" color="#FFFFFF"/>
>
> It wouldn't be much of a loss, but it's not spam either.

How did they perform individually?


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #4: If your shooting stance is good,
you're probably not moving fast enough nor using cover correctly.
-----------------------------------------------------------------------
5 days until Exercise Your Rights day

On Wed, 23 Aug 2023, Benny Pedersen wrote:

>
> # test for empty src="" or empty href=""
> rawbody __HREF_EMPTY /href=\"\"/
> rawbody __SRC_EMPTY /src=\"\"/
>
> meta LOCAL_BADLY_HTML (__HREF_EMPTY || __SRC_EMPTY)
> describe LOCAL_BADLY_HTML Meta: __HREF_EMPTY || __SRC_EMPTY
> score LOCAL_BADLY_HTML 3 3 3 3
>
> too much spams in hotmail

I'll put the subrules in my sandbox so they can be evaluated by masscheck.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim XI: Everything is air-droppable at least once.
-----------------------------------------------------------------------
5 days until Exercise Your Rights day

On 23.08.23 15:24, Benny Pedersen wrote:
># test for empty src="" or empty href=""
>rawbody __HREF_EMPTY /href=\"\"/
>rawbody __SRC_EMPTY /src=\"\"/
>
>meta LOCAL_BADLY_HTML (__HREF_EMPTY || __SRC_EMPTY)
>describe LOCAL_BADLY_HTML Meta: __HREF_EMPTY || __SRC_EMPTY
>score LOCAL_BADLY_HTML 3 3 3 3
>
>too much spams in hotmail

not so good numbers here. Only spam that wasn't rejected here:

% grep -c '^From ' spam
9332
% grep -Fc 'src=""' spam
3
% grep -Fc 'href=""' spam
18


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease

Hi,

On Wed, Aug 23, 2023 at 06:14:45PM -0700, John Hardin wrote:
> On Wed, 23 Aug 2023, Andy Smith wrote:
> > On Wed, Aug 23, 2023 at 03:24:22PM +0200, Benny Pedersen wrote:
> > > # test for empty src="" or empty href=""
> > > rawbody __HREF_EMPTY /href=\"\"/
> > > rawbody __SRC_EMPTY /src=\"\"/
> >
> > I checked this against about 80k of my recent personal emails and it
> > matched quite a lot of previously not found spam, but did also match
> > on every auto response from one of my suppliers. It seems after
> > every customer service interaction they send a "how did we do? fill
> > in this survey" email from qualtrics.com which contains:
> >
> > <v:fill type="tile" src="" color="#FFFFFF"/>
> >
> > It wouldn't be much of a loss, but it's not spam either.
>
> How did they perform individually?

The only non-spam that matched for me was the above, with src="".
Everything with href="" was spam.

There was some overlap — some spam had both — but some spam had only
href="" and some spam had only src="".

I'm sure KAM has a much bigger corpus to do automated tests on…

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

On Thu, 24 Aug 2023, Matus UHLAR - fantomas wrote:

> On 23.08.23 15:24, Benny Pedersen wrote:
>> # test for empty src="" or empty href=""
>> rawbody __HREF_EMPTY /href=\"\"/
>> rawbody __SRC_EMPTY /src=\"\"/
>>
>> meta LOCAL_BADLY_HTML (__HREF_EMPTY || __SRC_EMPTY)
>> describe LOCAL_BADLY_HTML Meta: __HREF_EMPTY || __SRC_EMPTY
>> score LOCAL_BADLY_HTML 3 3 3 3
>>
>> too much spams in hotmail
>
> not so good numbers here. Only spam that wasn't rejected here:
>
> % grep -c '^From ' spam
> 9332
> % grep -Fc 'src=""' spam
> 3
> % grep -Fc 'href=""' spam
> 18

Not so great in masschecks, either:

SPAM% HAM% S/O RANK SCORE NAME
0.1225 0.2296 0.348 0.42 (n/a) __SRC_EMPTY
0.5682 1.8685 0.233 0.41 (n/a) __HREF_EMPTY

https://ruleqa.spamassassin.org/20230824-r1911889-n/__SRC_EMPTY/detail

https://ruleqa.spamassassin.org/20230824-r1911889-n/__HREF_EMPTY/detail

They might be useful in metas with other conditions, but not in isolation.


overlap spam: 81% of __HREF_EMPTY hits also hit T_FSL_RCVD_TR_1; 1% of
T_FSL_RCVD_TR_1 hits also hit __HREF_EMPTY (ham 1%)

overlap spam: 42% of __HREF_EMPTY hits also hit __HAS_X_AUTHED_SENDER;
19% of __HAS_X_AUTHED_SENDER hits also hit __HREF_EMPTY (ham 1%)

I'll add a few of those to see how they do.


F'ing legit emailers that generate crap HTML.... {fume}



--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Once more, please; I missed it the last time: what's the difference
between "Quantitative Easing" and "Counterfeiting"?
-----------------------------------------------------------------------
4 days until Exercise Your Rights day