Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-05 Thread John Hardin
On Thu, 5 Apr 2018, Kris Deugau wrote: Alex wrote: We're also seeing it hit mailer-daemon emails. https://pastebin.com/raw/UXnzEN8U This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect) and when I re-ran it here locally, FUZZY_DR_OZ. The problem is that it's hitting on the m

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-05 Thread Giles Coochey
It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT" It's an aggressive rule that finds anything that might be an obfuscated Xanax. It only scores 0.8 points because it can produce FPs like this. Actually that is my private, custom score. I think the default is 2.8 or something like

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-05 Thread Kris Deugau
Alex wrote: We're also seeing it hit mailer-daemon emails. https://pastebin.com/raw/UXnzEN8U This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect) and when I re-ran it here locally, FUZZY_DR_OZ. The problem is that it's hitting on the mime attachments which are apparently trea

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-05 Thread Alex
Hi, On Mon, Apr 2, 2018 at 8:10 AM, Kevin A. McGrail wrote: > Pastebin a sample(s). We're also seeing it hit mailer-daemon emails. https://pastebin.com/raw/UXnzEN8U This one also hit FUZZY_AMBIEN, POISEN_SPAM_PILL (spelling incorrect) and when I re-ran it here locally, FUZZY_DR_OZ. The proble

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-05 Thread Giles Coochey
It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT" It's an aggressive rule that finds anything that might be an obfuscated Xanax. It only scores 0.8 points because it can produce FPs like this. Actually that is my private, custom score. I think the default is 2.8 or something like

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-05 Thread David Jones
On 04/02/2018 09:50 AM, Sebastian Arcus wrote: On 02/04/18 14:58, RW wrote: On Mon, 2 Apr 2018 08:26:27 -0500 David Jones wrote: On 04/02/2018 07:18 AM, Sebastian Arcus wrote: Thank you - one example here: https://pastebin.com/UGStfCys It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-02 Thread Sebastian Arcus
On 02/04/18 14:58, RW wrote: On Mon, 2 Apr 2018 08:26:27 -0500 David Jones wrote: On 04/02/2018 07:18 AM, Sebastian Arcus wrote: Thank you - one example here: https://pastebin.com/UGStfCys It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT" It's an aggressive rule that finds anyth

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-02 Thread Sebastian Arcus
On 02/04/18 14:26, David Jones wrote: On 04/02/2018 07:18 AM, Sebastian Arcus wrote: Thank you - one example here: https://pastebin.com/UGStfCys On 02/04/18 13:10, Kevin A. McGrail wrote: Pastebin a sample(s). On Mon, Apr 2, 2018, 08:06 Sebastian Arcus > wrote:

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-02 Thread Sebastian Arcus
On 02/04/18 13:35, Pedro David Marco wrote: Sebastian, can you run spamassassin -D -t &1 | grep got | grep FUZZY_XPILL and post the result, please? Hi Pedro. Please find the output below: Apr 2 15:45:59.961 [6928] dbg: rules: ran body rule FUZZY_XPILL ==> got hit: "xon, OX"

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-02 Thread RW
On Mon, 2 Apr 2018 08:26:27 -0500 David Jones wrote: > On 04/02/2018 07:18 AM, Sebastian Arcus wrote: > > Thank you - one example here: https://pastebin.com/UGStfCys It found "xon, OX" in "Aylesbury Road, Thame, Oxon, OX9 3AT" It's an aggressive rule that finds anything that might be an obfuscat

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-02 Thread David Jones
On 04/02/2018 07:18 AM, Sebastian Arcus wrote: Thank you - one example here: https://pastebin.com/UGStfCys On 02/04/18 13:10, Kevin A. McGrail wrote: Pastebin a sample(s). On Mon, Apr 2, 2018, 08:06 Sebastian Arcus > wrote:     I have a client which handles a lo

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-02 Thread Pedro David Marco
Sebastian,  can you run spamassassin -D -t &1 | grep got | grep  FUZZY_XPILL and post the result, please? PedroD

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-02 Thread Sebastian Arcus
Thank you - one example here: https://pastebin.com/UGStfCys On 02/04/18 13:10, Kevin A. McGrail wrote: Pastebin a sample(s). On Mon, Apr 2, 2018, 08:06 Sebastian Arcus > wrote: I have a client which handles a lot of hotel bookings as part of their work -

Re: FUZZY_XPILL FP hitting all Travelodge emails

2018-04-02 Thread Kevin A. McGrail
Pastebin a sample(s). On Mon, Apr 2, 2018, 08:06 Sebastian Arcus wrote: > I have a client which handles a lot of hotel bookings as part of their > work - and all hotel booking confirmations coming from Travelodge (a UK > hotel chain) hit FUZZY_XPILL. > > I've tried looking at the regex of the ru

FUZZY_XPILL FP hitting all Travelodge emails

2018-04-02 Thread Sebastian Arcus
I have a client which handles a lot of hotel bookings as part of their work - and all hotel booking confirmations coming from Travelodge (a UK hotel chain) hit FUZZY_XPILL. I've tried looking at the regex of the rule, but can't quite get my head around what it is supposed to do, and can't figu