Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

2017-11-21 Thread Bill Cole 

On 20 Nov 2017, at 0:59 (-0500), Pedro David Marco wrote:


Well, F. W. Nietzsche never had kids

But almost never so many people have had the same father...  :-p
Now serious: Maybe you can add some more rules to deduce it may be a 
german email and score the RANDOM accordingly...


Not really useful, because this is a check of the From header. There are 
a large number of people with German surnames who don't use the German 
language or live in places where German is the primary language.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

2017-11-20 Thread Jens Schleusener 

On Mon, 20 Nov 2017, John Hardin wrote:


On Mon, 20 Nov 2017, Markus Clardy wrote:


Why not just have it be a meta test that doesn't trigger if it contains
"sch"? I realize that cuts out things like tjmkln...@fakeemail.com, but it
would catch tsjmhw...@fakeemail.com, so maybe a bit better in both catch
rate and false positives?


Better: /sch[a-z]/ so that it would catch tjmkln...@fakeemail.com


Ok, if the "s" was only omitted to avoid FPs for addresses containg the 
string "sch" (German typical) that seems the better solution compared to 
my suggestion.


Jens

Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

2017-11-20 Thread John Hardin 

On Mon, 20 Nov 2017, Markus Clardy wrote:


Why not just have it be a meta test that doesn't trigger if it contains
"sch"? I realize that cuts out things like tjmkln...@fakeemail.com, but it
would catch tsjmhw...@fakeemail.com, so maybe a bit better in both catch
rate and false positives?


Better: /sch[a-z]/ so that it would catch tjmkln...@fakeemail.com


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  I would buy a Mac today if I was not working at Microsoft.
  -- James Allchin, Microsoft VP of Platforms
---
 235 days since the first commercial re-flight of an orbital booster (SpaceX)

Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

2017-11-20 Thread Markus Clardy 
Why not just have it be a meta test that doesn't trigger if it contains
"sch"? I realize that cuts out things like tjmkln...@fakeemail.com, but it
would catch tsjmhw...@fakeemail.com, so maybe a bit better in both catch
rate and false positives?

On Mon, Nov 20, 2017 at 8:03 AM, Jens Schleusener <
jens.schleuse...@t-online.de> wrote:

> On Sun, 19 Nov 2017, Bill Cole wrote:
>
> On 19 Nov 2017, at 17:11 (-0500), Mark London wrote:
>>
>> Also, 5 consonants in a row, is unlikely.
>>>
>>
>> Well, F. W. Nietzsche never had kids, but I don't think the surname is
>> extinct. I'm aware of multiple people with the surname Pietschmann. There
>> is also a common practice of using a first initial and surname as a
>> username and many Germanic surnames starting with sch[mlr], so I expect
>> that 5 consonants in an email address local-part where 'sch' are the middle
>> 3 characters are quite common.
>>
>
> Although not used currently I had formerly such an assigned accountname
> (jschleus). Since I think the avoiding of FPs should take priority over
> that of FNs I "vote" for the omitting "s".
>
> Maybe it would be a "compromise" to add another regex with at least the
> "s" included but 6 required consonants like
>
>  [bcdfgjklmnpqrstvwxz]{6}
>
> Jens
>



-- 
 - Markus

Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

2017-11-20 Thread Jens Schleusener 

On Sun, 19 Nov 2017, Bill Cole wrote:


On 19 Nov 2017, at 17:11 (-0500), Mark London wrote:


Also, 5 consonants in a row, is unlikely.


Well, F. W. Nietzsche never had kids, but I don't think the surname is 
extinct. I'm aware of multiple people with the surname Pietschmann. There is 
also a common practice of using a first initial and surname as a username and 
many Germanic surnames starting with sch[mlr], so I expect that 5 consonants 
in an email address local-part where 'sch' are the middle 3 characters are 
quite common.


Although not used currently I had formerly such an assigned accountname 
(jschleus). Since I think the avoiding of FPs should take priority over 
that of FNs I "vote" for the omitting "s".


Maybe it would be a "compromise" to add another regex with at least the 
"s" included but 6 required consonants like


 [bcdfgjklmnpqrstvwxz]{6}

Jens

Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

2017-11-19 Thread Pedro David Marco 

>Well, F. W. Nietzsche never had kids
But almost never so many people have had the same father...  :-p
Now serious: Maybe you can add some more rules to deduce it may be a german 
email and score the RANDOM accordingly...

---PedroD.

Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

2017-11-19 Thread Bill Cole 

On 19 Nov 2017, at 17:11 (-0500), Mark London wrote:


Also, 5 consonants in a row, is unlikely.


Well, F. W. Nietzsche never had kids, but I don't think the surname is 
extinct. I'm aware of multiple people with the surname Pietschmann. 
There is also a common practice of using a first initial and surname as 
a username and many Germanic surnames starting with sch[mlr], so I 
expect that 5 consonants in an email address local-part where 'sch' are 
the middle 3 characters are quite common.




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

2017-11-19 Thread Mark London 
Sent from my iPhone

> On Nov 18, 2017, at 5:29 PM, RW  wrote:
> 
> On Sat, 18 Nov 2017 15:46:16 -0500
> Mark London wrote:
> 
>> FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email 
>> address like this:
>> 
>> mqsjkeqgy...@sina.com
>> 
>> But it doesn't.   Yet it does trigger on this:
>> 
>> dxn...@sina.com
>> 
>> Curious.
> 
> h and s are missing in this list of consonants 
> 
>   [bcdfgjklmnpqrtvwxz]{5}
> 
> so mqsjk isn't seen as 5  consonants in a row. 

It seems to me that s should be included, if it’s not followed by a consonant 
that normally might follow.  I.e., c or h or t.  Also, 5 consonants in a row, 
is unlikely.

If nothing else, maybe there should be a HK_POSSIBLE_RANDOM_FROM that’s is more 
liberal.  I’m combining that rule with other rules, such as DNSBLs, to detect 
likely spam.

- Mark

Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

2017-11-18 Thread RW 
On Sat, 18 Nov 2017 22:29:58 +
RW wrote:

> On Sat, 18 Nov 2017 15:46:16 -0500
> Mark London wrote:
> 
> > FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email 
> > address like this:
> > 
> > mqsjkeqgy...@sina.com

> h and s are missing in this list of consonants 
> 
>[bcdfgjklmnpqrtvwxz]{5}
> 
> so mqsjk isn't seen as 5  consonants in a row. 
> 
> (y is being treated as a vowel)

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7504

Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

2017-11-18 Thread Ian Zimmerman 
On 2017-11-18 15:46, Mark London wrote:

> FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email
> address like this:
> 
> mqsjkeqgy...@sina.com
> 
> But it doesn't.   Yet it does trigger on this:
> 
> dxn...@sina.com

The first one contains vowels in the local part.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet, fetch the TXT record for the domain.

Re: Why doesn't HK_RANDOM_FROM trigger on this email address?

2017-11-18 Thread RW 
On Sat, 18 Nov 2017 15:46:16 -0500
Mark London wrote:

> FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email 
> address like this:
> 
> mqsjkeqgy...@sina.com
> 
> But it doesn't.   Yet it does trigger on this:
> 
> dxn...@sina.com
> 
> Curious.

h and s are missing in this list of consonants 

   [bcdfgjklmnpqrtvwxz]{5}

so mqsjk isn't seen as 5  consonants in a row. 

(y is being treated as a vowel)

Why doesn't HK_RANDOM_FROM trigger on this email address?

2017-11-18 Thread Mark London 
FWIW: It seems to me that HK_RANDOM_FROM should trigger on an email 
address like this:


mqsjkeqgy...@sina.com

But it doesn't.   Yet it does trigger on this:

dxn...@sina.com

Curious.

- Mark