Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: devel

[Bug 6744] FREEMAIL_REPLYTO False Positives

 

 

SpamAssassin devel RSS feed   Index | Next | Previous | View Threaded


bugzilla-daemon at bugzilla

Dec 29, 2011, 9:26 AM

Post #1 of 9 (375 views)
Permalink
[Bug 6744] FREEMAIL_REPLYTO False Positives

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6744

Kevin A. McGrail <kmcgrail [at] pccc> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |kmcgrail [at] pccc

--- Comment #1 from Kevin A. McGrail <kmcgrail [at] pccc> 2011-12-29 17:26:19 UTC ---
Following up:

FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit

the false positives on these rules (combined 2.3) seem very high as well. The
freemail rules in general seem arbitrarily high the more I look into them.

it seems that their should be more meta tests or something and perhaps let
masscheck suggest some scores for these rules.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


bugzilla-daemon at bugzilla

Dec 29, 2011, 10:04 AM

Post #2 of 9 (364 views)
Permalink
[Bug 6744] FREEMAIL_REPLYTO False Positives [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6744

Benny Pedersen <me [at] junc> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |me [at] junc

--- Comment #2 from Benny Pedersen <me [at] junc> 2011-12-29 18:04:00 UTC ---
try add body addresses into freemail_whitelist or tell senders not to put @
into body, big hint :-)

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


bugzilla-daemon at bugzilla

Dec 29, 2011, 10:09 AM

Post #3 of 9 (364 views)
Permalink
[Bug 6744] FREEMAIL_REPLYTO False Positives [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6744

--- Comment #3 from Benny Pedersen <me [at] junc> 2011-12-29 18:09:40 UTC ---
message-id is yahoo, where is dkim header ?, hope is just a bad example, or
does yahoo not dkim sign all mail ?

if real life example have dkim, why not whitelist_from sender [at] example ?

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


bugzilla-daemon at bugzilla

Dec 29, 2011, 10:13 AM

Post #4 of 9 (362 views)
Permalink
[Bug 6744] FREEMAIL_REPLYTO False Positives [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6744

--- Comment #4 from Kevin A. McGrail <kmcgrail [at] pccc> 2011-12-29 18:13:05 UTC ---
(In reply to comment #3)
> message-id is yahoo, where is dkim header ?, hope is just a bad example, or
> does yahoo not dkim sign all mail ?
>
> if real life example have dkim, why not whitelist_from sender [at] example ?

This is a heavily munged email just to show the key point is that if a yahoo
user emails with quoting another yahoo sender, then the rule hits with a 2.775
score, for example.

Whitelisting is not appropriate. I think the FREEMAIL rules might have a lot
of likely FPs.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


bugzilla-daemon at bugzilla

Dec 29, 2011, 10:26 AM

Post #5 of 9 (356 views)
Permalink
[Bug 6744] FREEMAIL_REPLYTO False Positives [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6744

--- Comment #5 from Benny Pedersen <me [at] junc> 2011-12-29 18:26:25 UTC ---
so masscheck scores must not give fp even if whitelistning is possible ?

fp is imho sign of missing corpus

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


bugzilla-daemon at bugzilla

Dec 29, 2011, 10:29 AM

Post #6 of 9 (356 views)
Permalink
[Bug 6744] FREEMAIL_REPLYTO False Positives [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6744

John Hardin <jhardin [at] impsec> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |jhardin [at] impsec

--- Comment #6 from John Hardin <jhardin [at] impsec> 2011-12-29 18:29:35 UTC ---
(In reply to comment #1)
> Following up:
>
> FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
> FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit
>
> the false positives on these rules (combined 2.3) seem very high as well. The
> freemail rules in general seem arbitrarily high the more I look into them.
>
> it seems that their should be more meta tests or something and perhaps let
> masscheck suggest some scores for these rules.

Agreed, given the nature of freemail services.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


bugzilla-daemon at bugzilla

Dec 29, 2011, 12:13 PM

Post #7 of 9 (356 views)
Permalink
[Bug 6744] FREEMAIL_REPLYTO False Positives [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6744

--- Comment #7 from Kevin A. McGrail <kmcgrail [at] pccc> 2011-12-29 20:13:03 UTC ---
(In reply to comment #5)
> so masscheck scores must not give fp even if whitelistning is possible ?

The scores currently in place are hard coded overrides of masscheck.

To me, whitelisting and blacklisting is a worst-case scenarios and algorithms
should be the focus.

> fp is imho sign of missing corpus

I don't know what you mean as the scores and these rules are being forced
active. I am not 100% certain but I question if they would be promoted or not.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


bugzilla-daemon at bugzilla

Dec 29, 2011, 12:24 PM

Post #8 of 9 (360 views)
Permalink
[Bug 6744] FREEMAIL_REPLYTO False Positives [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6744

Daniel J McDonald <dan.mcdonald [at] austinenergy> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |dan.mcdonald [at] austinenergy
| |om

--- Comment #8 from Daniel J McDonald <dan.mcdonald [at] austinenergy> 2011-12-29 20:24:25 UTC ---
I have also seen what appears to be a false positive based on someone making an
inline-forward of a message that had a cc: to another freemail account. I
asked the customer for a better spample about a week ago and have not yet
received it, so I had not raised it as a bug.

On the other hand, FREEMAIL_REPLYTO has been a very fruitful rule for us in
production, especially in metas. I'd hate to see it go away completely.

The rule could probably be improved by excluding mail addresses that appear to
be in a forwarded message header - looking for To: or CC: near the beginning of
a body line with Subject: within a few lines beyond.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


bugzilla-daemon at bugzilla

Dec 29, 2011, 12:46 PM

Post #9 of 9 (358 views)
Permalink
[Bug 6744] FREEMAIL_REPLYTO False Positives [In reply to]

https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6744

Kevin A. McGrail <kmcgrail [at] pccc> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED

--- Comment #9 from Kevin A. McGrail <kmcgrail [at] pccc> 2011-12-29 20:46:48 UTC ---
According to bug 6394, this is not the first time this has been discussed:

Here are the current scores for FREEMAIL:

#FREEMAIL SCORES
score FREEMAIL_FORGED_REPLYTO 1.199 2.503 1.204 2.095
score FREEMAIL_REPLY 2.499 2.499 1.788 1.929
score FREEMAIL_REPLYTO 3.257 2.775 1.811 2.398
score FREEMAIL_REPLYTO_END_DIGIT 1.221 0.980 1.179 1.151
# Bug 6394, score 1.5 is too high, depends on local traffic
score FREEMAIL_ENVFROM_END_DIGIT 0.1
score FREEMAIL_FROM 0.001


I'm making the following changes but open to others tweaking the plugin,
tweaking the scores or even disabling the rules and putting them into masscheck
for auto-promotion (or not as the case may be).

#FREEMAIL SCORES - Scores lowered per bug 6744
score FREEMAIL_FORGED_REPLYTO 1.199 2.503 1.204 2.095
score FREEMAIL_REPLY 1.0
score FREEMAIL_REPLYTO 1.0
score FREEMAIL_REPLYTO_END_DIGIT 0.25
score FREEMAIL_ENVFROM_END_DIGIT 0.25
score FREEMAIL_FROM 0.001

In short, the above scores are possibly just a band-aid but they should
mitigates an issue we know is occurring. And, for example, the FP I mentioned
at the start was completely legit but fired 5.1 points JUST from the Freemail
rules. That's almost a poison pill rule.

I think these could be improved with meta rules but someone would need to pick
up that baton. I want to focus on 3.4.0 blockers.

svn commit -m 'Grouping Freemail scores and lowering then substantially per bug
6744'
Sending rules/50_scores.cf
Transmitting file data .
Committed revision 1225646.

--
Configure bugmail: https://issues.apache.org/SpamAssassin/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

SpamAssassin devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.