Re: FSL_BULK_SIG in 72_active.cf

2021-10-05 Thread John Hardin 

On Tue, 5 Oct 2021, Matus UHLAR - fantomas wrote:

It hits Pyzor for some reason.  Get a PYZOR_CHECK=1.985.  Must've 
picked the wrong checksum, chief!


It does not appear that the actual rule matches the spirit of the 
rule.



On 23.09.21 22:07, Kevin A. McGrail wrote:

Jared, looks to me like an FP in Pyzor.



On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:

RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
attachments. (Haven't done stats tho, I can look during workweek.)

Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
unsubscribe header.



On 25.09.21 13:19, John Hardin wrote:

Perhaps it needs a short-message exclusion?



On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
short messages with attachments. if you have an idea how, I'll be glad to 
try.


On 25.09.21 15:04, John Hardin wrote:
I've done some masscheck review and tuning of it, added avoidance of hits 
on very short messages.


I'm afraid it did not help.
It seems that PYZOR_CHECK and DCC_CHECK hit on such mail often and
FSL_BULK_SIG pushes such mail easily over default spam score.

I just analyze a few samples, a few also hit GMD_PDF_EMPTY_BODY with sa -D, 
many of them hit __HTML_LENGTH_1024_1536

(damn microsoft! 1k of "empty" message).

OK, I will work around locally.


I noticed the PDF attachment hit in masschecks, but presumed (since the 
attachments were images) that it wasn't germane to the OP's problem. I 
should have added an exclusion for that as well. I will later today, 
work is booting up... :)


I'd be interested in the rule hits if you're willing to share.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.org pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Are you a mildly tech-literate politico horrified by the level of
  ignorance demonstrated by lawmakers gearing up to regulate online
  technology they don't even begin to grasp? Cool. Now you have a
  tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
---
 493 days since the first private commercial manned orbital mission (SpaceX)

Re: FSL_BULK_SIG in 72_active.cf

2021-10-05 Thread Matus UHLAR - fantomas 
It hits Pyzor for some reason.  Get a PYZOR_CHECK=1.985.  
Must've picked the wrong checksum, chief!


It does not appear that the actual rule matches the spirit of the rule.



On 23.09.21 22:07, Kevin A. McGrail wrote:

Jared, looks to me like an FP in Pyzor.



On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:

RAZOR, PYZOR and DCC often hit on e-mail with short or no text and
attachments. (Haven't done stats tho, I can look during workweek.)

Thus, FSL_BULK_SIG tends to hit on such e-mail because they don't have
unsubscribe header.



On 25.09.21 13:19, John Hardin wrote:

Perhaps it needs a short-message exclusion?



On Sat, 25 Sep 2021, Matus UHLAR - fantomas wrote:
short messages with attachments. if you have an idea how, I'll be 
glad to try.


On 25.09.21 15:04, John Hardin wrote:
I've done some masscheck review and tuning of it, added avoidance of 
hits on very short messages.


I'm afraid it did not help.
It seems that PYZOR_CHECK and DCC_CHECK hit on such mail often and
FSL_BULK_SIG pushes such mail easily over default spam score.

I just analyze a few samples, a few also hit GMD_PDF_EMPTY_BODY 
with sa -D, many of them hit __HTML_LENGTH_1024_1536

(damn microsoft! 1k of "empty" message).

OK, I will work around locally.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)