On 12/15/2015 12:00 PM, John Hardin wrote:
On Tue, 15 Dec 2015, Kevin A. McGrail wrote:
I don't know enough about real-world usage to comment intelligently.
But I will say that a negative score just because something is
encrypted will likely have a pretty negative impact. It assumes no
ham ever hits that rule.
That's exactly backwards. I'm assuming a spammer will never encrypt
their email because that makes it less likely their content will be
seen by the target, so *only* (or at least overwhelmingly) ham will
hit that rule.
I don't think it should have a score less than -1, though. This is
intended as an offset, not a whitelist.
However, signed UNencrypted email might also use that MIME type, and
the MUA might fail-useable and display the body of an
improperly-formatted (e.g. no signature block at all) message of that
MIME type, or one that has a signature block but fails verification,
so that assumption might very well be flawed - there might be no
downside to the spammer to sending out fake-signed mails.
Perhaps a meta?
So far there's only been a complaint about FPs on encrypted emails
from Facebook. I've already added __CT_ENCRYPTED as a FP exclusion to
some rules (e.g. the one that scores for no textual MIME parts at all)
based on that. I was hoping we could avoid (or at least reduce the
instances of) a large class of FPs by doing a broad ENCRYPTED_MESSAGE
nice rule rather than playing reactive whack-a-mole if we get more
reports of specific FPs on encrypted content.
Agreed. I will defer to you as the person in the weeds because clearly
I had a 180 degree view of the purpose.
