Re: FREEMAIL_REPLY
On Mon, 22 Mar 2010, Jason Bertoch wrote: Should FREEMAIL_REPLY really be looking in attachments Sure. Just looking at the presence of freemail domains, there's nothing to distinguish the mail you got an FP report on from 419 spams that put the pitch and reply address in an attachment. What else hit on that message? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Mine eyes have seen the horror of the voting of the horde; They've looted the fromagerie where guv'ment cheese is stored; If war's not won before the break they grow so quickly bored; Their vote counts as much as yours. -- Tam --- 164 days since President Obama won the Nobel Not George W. Bush prize
Re: FREEMAIL_REPLY
On 2010/03/22 12:26 PM, John Hardin wrote: On Mon, 22 Mar 2010, Jason Bertoch wrote: Should FREEMAIL_REPLY really be looking in attachments Sure. Just looking at the presence of freemail domains, there's nothing to distinguish the mail you got an FP report on from 419 spams that put the pitch and reply address in an attachment. What else hit on that message? I understand the benefit of looking in attachments, but wonder if it would make a difference in masscheck results to separate the two cases. The message also hit on FREEMAIL_ENVFROM_END_DIGIT, BAYES_50, and MPART_ALT_DIFF pushing the score to 5.1. I posted a question about scoring of FREEMAIL_ENVFROM_END_DIGIT directly to the dev list as I didn't feel it made much sense here. -- /Jason smime.p7s Description: S/MIME Cryptographic Signature
Re: FREEMAIL_REPLY
On Mon, 22 Mar 2010, Jason Bertoch wrote: On 2010/03/22 12:26 PM, John Hardin wrote: On Mon, 22 Mar 2010, Jason Bertoch wrote: Should FREEMAIL_REPLY really be looking in attachments Sure. Just looking at the presence of freemail domains, there's nothing to distinguish the mail you got an FP report on from 419 spams that put the pitch and reply address in an attachment. What else hit on that message? I understand the benefit of looking in attachments, but wonder if it would make a difference in masscheck results to separate the two cases. Ah. Possibly. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Men by their constitutions are naturally divided in to two parties: 1. Those who fear and distrust the people and wish to draw all powers from them into the hands of the higher classes. 2. Those who identify themselves with the people, have confidence in them, cherish and consider them as the most honest and safe, although not the most wise, depository of the public interests. -- Thomas Jefferson --- 164 days since President Obama won the Nobel Not George W. Bush prize
Re: FREEMAIL_REPLY
On 2010/03/22 1:03 PM, John Hardin wrote: On Mon, 22 Mar 2010, Jason Bertoch wrote: On 2010/03/22 12:26 PM, John Hardin wrote: On Mon, 22 Mar 2010, Jason Bertoch wrote: Should FREEMAIL_REPLY really be looking in attachments Sure. Just looking at the presence of freemail domains, there's nothing to distinguish the mail you got an FP report on from 419 spams that put the pitch and reply address in an attachment. What else hit on that message? I understand the benefit of looking in attachments, but wonder if it would make a difference in masscheck results to separate the two cases. Ah. Possibly. Another possibly interesting item of note, there are two scores for FREEMAIL_REPLY: 20_freemail.cf:scoreFREEMAIL_REPLY 0.5 50_scores.cf:score FREEMAIL_REPLY 2.499 2.499 1.788 1.929 -- /Jason smime.p7s Description: S/MIME Cryptographic Signature
