Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: SpamAssassin: users

Understanding AXB_X_AOL_SEZ_S

 

 

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded


mysqlstudent at gmail

Mar 15, 2012, 12:52 PM

Post #1 of 5 (475 views)
Permalink
Understanding AXB_X_AOL_SEZ_S

Hi,

I've noticed that a number of hams have been tagged with
AXB_X_AOL_SEZ_S, creating false positives. Is this looking for a
simple pattern in the body that would cause so many fp's for me?

Here's an example:

http://pastebin.com/raw.php?i=5USWwdQT

What is it in this that is hitting? Here's a line from the debug output:

Mar 15 15:50:36.547 [18426] dbg: rules: ran header rule
AXB_X_AOL_SEZ_S ======> got hit: "S"

Thanks for any ideas.
Alex


michael.scheidell at secnap

Mar 15, 2012, 1:26 PM

Post #2 of 5 (460 views)
Permalink
Re: Understanding AXB_X_AOL_SEZ_S [In reply to]

On 3/15/12 3:52 PM, Alex wrote:
> Hi,
>
> I've noticed that a number of hams have been tagged with
> AXB_X_AOL_SEZ_S, creating false positives. Is this looking for a
> simple pattern in the body that would cause so many fp's for me?
>
cluestick:
find where your updated rules live.
(locate MIRRORED.BY)

grep AXB_X_AOL_SEZ_S *


--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation

* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________


mysqlstudent at gmail

Mar 15, 2012, 1:32 PM

Post #3 of 5 (464 views)
Permalink
Re: Understanding AXB_X_AOL_SEZ_S [In reply to]

Hi,

>> I've noticed that a number of hams have been tagged with
>> AXB_X_AOL_SEZ_S, creating false positives. Is this looking for a
>> simple pattern in the body that would cause so many fp's for me?
>>
> cluestick:
> find where your updated rules live.
> (locate MIRRORED.BY)
>
> grep AXB_X_AOL_SEZ_S *

Yes, I shouldn't have assumed that it was obvious I already did that.
However, it seems to be just too simplistic of a pattern to apply 3
pts:

72_active.cf:##{ AXB_X_AOL_SEZ_S
72_active.cf:header AXB_X_AOL_SEZ_S
x-aol-global-disposition =~ /^S$/
72_active.cf:describe AXB_X_AOL_SEZ_S AOL said this is S
72_active.cf:##} AXB_X_AOL_SEZ_S
72_scores.cf:score AXB_X_AOL_SEZ_S 2.799 2.999 2.799 2.999

I've found nearly every AOL mail has that header, no?

That's basically a poison pill rule...

Thanks,
Alex


axb.lists at gmail

Mar 15, 2012, 2:01 PM

Post #4 of 5 (465 views)
Permalink
Re: Understanding AXB_X_AOL_SEZ_S [In reply to]

On 03/15/2012 08:52 PM, Alex wrote:
> Hi,
>
> I've noticed that a number of hams have been tagged with
> AXB_X_AOL_SEZ_S, creating false positives. Is this looking for a
> simple pattern in the body that would cause so many fp's for me?
>
> Here's an example:
>
> http://pastebin.com/raw.php?i=5USWwdQT
>
> What is it in this that is hitting? Here's a line from the debug output:
>
> Mar 15 15:50:36.547 [18426] dbg: rules: ran header rule
> AXB_X_AOL_SEZ_S ======> got hit: "S"
>
> Thanks for any ideas.
> Alex

Aol tag its outbound messages with

x-aol-global-disposition: S

x-aol-global-disposition: G

assuming
S: spam
G: good

See
http://ruleqa.spamassassin.org/20120314-r1300482-n/AXB_X_AOL_SEZ_S/detail

AOL is telling you their user's mail is spam and the rule helps you tag it.

As always, if the score is to high for you, you can lower or disable the
rule completely



A quick google for ""x-aol-global-disposition: S" will help clarify.


mysqlstudent at gmail

Mar 15, 2012, 4:06 PM

Post #5 of 5 (458 views)
Permalink
Re: Understanding AXB_X_AOL_SEZ_S [In reply to]

Hi,

>> I've noticed that a number of hams have been tagged with
>> AXB_X_AOL_SEZ_S, creating false positives. Is this looking for a
>> simple pattern in the body that would cause so many fp's for me?
>>
>> Here's an example:
>>
>> http://pastebin.com/raw.php?i=5USWwdQT
>>
>> What is it in this that is hitting? Here's a line from the debug output:
>>
>> Mar 15 15:50:36.547 [18426] dbg: rules: ran header rule
>> AXB_X_AOL_SEZ_S ======>  got hit: "S"
>>
>> Thanks for any ideas.
>> Alex
>
>
> Aol tag its outbound messages with
>
> x-aol-global-disposition: S
>
> x-aol-global-disposition: G
>
> assuming
> S: spam
> G: good
>
> See
> http://ruleqa.spamassassin.org/20120314-r1300482-n/AXB_X_AOL_SEZ_S/detail
>
> AOL is telling you their user's mail is spam and the rule helps you tag it.
>
> As always, if the score is to high for you, you can lower or disable the
> rule completely

Ah, thanks. I never even thought there could be a meaning defined by
AOL behind those headers that would be so helpful. Still learning.

Thanks,
Alex

SpamAssassin users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.