Mailing List Archive

Alex wrote:
> Hi,
> I recently had an account activation email blocked due
> to AC_FROM_MANY_DOTS in the From address:
>
> From: VitalSource <Do.Not.Reply@vitalsource.com
> <mailto:Do.Not.Reply@vitalsource.com>>
>
> It also hit KAM_SENDGRID and BAYES_50 and KAM_MARKETINGBL_PCCC, pushing
> it over to spam.
>  *  1.5 KAM_SENDGRID Sendgrid being exploited by scammers
>  *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
>  *  0.2 KAM_MARKETINGBL_PCCC Message contains URI associated with
>
> in addition to a few smaller rules, like KAM_DMARC_NONE.
>
> Does it sound reasonable to add 3 points plus another 1.5 simply for
> having been sent by sendgrid? How do we offset those points? Do we just
> rely on bayes/txrep?
>
> I think my bayes db is pretty well-trained, but there's also a lot of
> account activation fraud emails.

Third party rule sets always need evaluation for your local mail flow.
And you can always override scores in a third party channel with a local
channel loaded after any others, or in a .cf in your local configuration
directory.

I looked at the KAM rules and decided that using them as-is was a
nonstarter. However, using selected rule groups, at a reduced score,
for spam I've had a hard time writing my own rules, has worked quite
well. (Up until the spammers started just dropping their fake invoice
content into an attached image - or PDF.)

-kgd

>Alex wrote:
>>I recently had an account activation email blocked?due
>>to?AC_FROM_MANY_DOTS in the From address:
>>
>>From: VitalSource <Do.Not.Reply@vitalsource.com
>><mailto:Do.Not.Reply@vitalsource.com>>
>>
>>It also hit KAM_SENDGRID and BAYES_50 and KAM_MARKETINGBL_PCCC,
>>pushing it over to spam.
>> ?* ?1.5 KAM_SENDGRID Sendgrid being exploited by scammers
>> ?* ?0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
>> ?* ?0.2 KAM_MARKETINGBL_PCCC Message contains URI associated with
>>
>>in addition to a few smaller rules, like KAM_DMARC_NONE.
>>
>>Does it sound reasonable to add 3 points plus another 1.5 simply for
>>having been sent by sendgrid? How do we offset those points? Do we
>>just rely on bayes/txrep?
>>
>>I think my bayes db is pretty well-trained, but there's also a lot
>>of account activation fraud emails.

On 16.11.23 10:29, Kris Deugau wrote:
>Third party rule sets always need evaluation for your local mail flow.

Just FYI:
AC_FROM_MANY_DOTS stock SA rule and has score 3 as OP complained:

score AC_FROM_MANY_DOTS 2.999 2.999 2.999 2.999

from this point of view KAM rules are a bit safer:

score KAM_MARKETINGBL_PCCC 1.0
score KAM_SENDGRID 1.50

>And you can always override scores in a third party channel with a
>local channel loaded after any others, or in a .cf in your local
>configuration directory.

the same applies to stock SA rules FYI.

>I looked at the KAM rules and decided that using them as-is was a
>nonstarter. However, using selected rule groups, at a reduced score,
>for spam I've had a hard time writing my own rules, has worked quite
>well. (Up until the spammers started just dropping their fake invoice
>content into an attached image - or PDF.)

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #99999: Out of error messages.

Hi,

>>Does it sound reasonable to add 3 points plus another 1.5 simply for
> >>having been sent by sendgrid? How do we offset those points? Do we
> >>just rely on bayes/txrep?
> >>
> >>I think my bayes db is pretty well-trained, but there's also a lot
> >>of account activation fraud emails.
>
> On 16.11.23 10:29, Kris Deugau wrote:
> >Third party rule sets always need evaluation for your local mail flow.
>
> Just FYI:
> AC_FROM_MANY_DOTS stock SA rule and has score 3 as OP complained:
>
> score AC_FROM_MANY_DOTS 2.999 2.999 2.999 2.999
>

Yes, of course, I realize I can control scores on my own system - I was
just requesting an analysis because it seems quite high, and thought it
deserved to be evaluated for everyone.

Also, the KAM rules are designed to be used in conjunction with the stock
rules, so it also seemed somewhat punitive to award so many points and to
be expected to offset them for a completely benign email.

Thanks,
Alex

Alex <mysqlstudent@gmail.com> writes:

> Also, the KAM rules are designed to be used in conjunction with the stock
> rules, so it also seemed somewhat punitive to award so many points and to
> be expected to offset them for a completely benign email.

My experience is that many of the KAM rules are unreasonably
aggressive.

In particular, I don't think it's ok for a rule to be over 3 points,
unless it is virtually certain that any message that hits it will be
spam. Overall, they don't feel tuned to meet SA doctrine which AIUI is
that there should be quite rare FPs, meaning ham >= 5 points.

I have reported a number of FPs. I have ~always heard back and had
reasonable discussions. But it usually turns out that KAM thinks the
aggressiveness of whatever rule I am having problems with is good on
balance. It might be; that's a really hard question to answer.

Overall, I've had too many problems with FPs, and given that my view of
how things should be and the ruleset's view are far enough apart, I
decided to just stop using it. I was expecting to get more spam through
but it has not been noticeable (that's a perception, not anything
careful, and of course the arriving spam changes over time).

On 11/16/23 17:26, Greg Troxel wrote:
> Alex <mysqlstudent@gmail.com> writes:
>
>> Also, the KAM rules are designed to be used in conjunction with the stock
>> rules, so it also seemed somewhat punitive to award so many points and to
>> be expected to offset them for a completely benign email.
>
> My experience is that many of the KAM rules are unreasonably
> aggressive.
>
> In particular, I don't think it's ok for a rule to be over 3 points,
> unless it is virtually certain that any message that hits it will be
> spam. Overall, they don't feel tuned to meet SA doctrine which AIUI is
> that there should be quite rare FPs, meaning ham >= 5 points.
>
you can work with sa-update(1) --score-multiplier and --score-limit to reduce score of KAM rules.
This might improve the situation in your case.
Giovanni

On Thu, 16 Nov 2023, Matus UHLAR - fantomas wrote:

>> Alex wrote:
>>> I recently had an account activation email blocked?due
>>> to?AC_FROM_MANY_DOTS in the From address:
>>>
>>> From: VitalSource <Do.Not.Reply@vitalsource.com
>>> <mailto:Do.Not.Reply@vitalsource.com>>
>
> On 16.11.23 10:29, Kris Deugau wrote:
>
> Just FYI:
> AC_FROM_MANY_DOTS stock SA rule and has score 3 as OP complained:
>
> score AC_FROM_MANY_DOTS 2.999 2.999 2.999 2.999

...because it performs very well in masschecks.

I have added an exclusion for this use case and dropped the score limit to 2.500

> plus another 1.5 simply for having been sent by sendgrid?

Is that all that rule does, vs. hitting *specific* SendGrid accounts?


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...to announce there must be no criticism of the President or to
stand by the President right or wrong is not only unpatriotic and
servile, but is morally treasonous to the American public.
-- Theodore Roosevelt, 1918
-----------------------------------------------------------------------
1,265 days since the first private commercial manned orbital mission (SpaceX)