Re: Too many dots?

On Thu, 16 Nov 2023, Matus UHLAR - fantomas wrote: Alex wrote: I recently had an account activation email blocked due to AC_FROM_MANY_DOTS in the From address: From: VitalSource > On 16.11.23 10:29, Kris Deugau wrote: Just FYI: AC_FROM_MANY_DOTS stock

Re: Too many dots?

On 11/16/23 17:26, Greg Troxel wrote: Alex writes: Also, the KAM rules are designed to be used in conjunction with the stock rules, so it also seemed somewhat punitive to award so many points and to be expected to offset them for a completely benign email. My experience is that many of the

Re: Too many dots?

Alex writes: > Also, the KAM rules are designed to be used in conjunction with the stock > rules, so it also seemed somewhat punitive to award so many points and to > be expected to offset them for a completely benign email. My experience is that many of the KAM rules are unreasonably

Re: Too many dots?

Hi, >>Does it sound reasonable to add 3 points plus another 1.5 simply for > >>having been sent by sendgrid? How do we offset those points? Do we > >>just rely on bayes/txrep? > >> > >>I think my bayes db is pretty well-trained, but there's also a lot > >>of account activation fraud emails. > >

Re: Too many dots?

Alex wrote: I recently had an account activation email blocked due to AC_FROM_MANY_DOTS in the From address: From: VitalSource > It also hit KAM_SENDGRID and BAYES_50 and KAM_MARKETINGBL_PCCC, pushing it over to spam.  *  1.5 KAM_SENDGRID Sendgrid being

Re: Too many dots?

Alex wrote: Hi, I recently had an account activation email blocked due to AC_FROM_MANY_DOTS in the From address: From: VitalSource > It also hit KAM_SENDGRID and BAYES_50 and KAM_MARKETINGBL_PCCC, pushing it over to spam.  *  1.5 KAM_SENDGRID Sendgrid

Too many dots?

Hi, I recently had an account activation email blocked due to AC_FROM_MANY_DOTS in the From address: From: VitalSource It also hit KAM_SENDGRID and BAYES_50 and KAM_MARKETINGBL_PCCC, pushing it over to spam. * 1.5 KAM_SENDGRID Sendgrid being exploited by scammers * 0.8 BAYES_50 BODY: Bayes

Re: Proposed rule for too many dots in From

Looks like it was hitting a fair amount of ham the last week or so. https://ruleqa.spamassassin.org/20190607-r1860743-n/T_AC_FROM_MANY_DOTS/detail The last few days have looked a bit better: https://ruleqa.spamassassin.org/20190609-r1860879-n/T_AC_FROM_MANY_DOTS/detail

Re: Proposed rule for too many dots in From

On Jan 26, 2019, at 10:27 AM, John Hardin wrote: > > On Thu, 24 Jan 2019, Amir Caspi wrote: > >> On Jan 15, 2019, at 8:46 AM, John Hardin wrote: >>> On Dec 20, 2018, at 6:16 PM, Amir Caspi wrote: > > headerAC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/ >>> >>>

Re: Proposed rule for too many dots in From

On Thu, 24 Jan 2019, Amir Caspi wrote: On Jan 15, 2019, at 8:46 AM, John Hardin wrote: On Dec 20, 2018, at 6:16 PM, Amir Caspi wrote: header AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/ Argh. I lost track of that over the holidays. Thanks for the reminder, adding it now.

Re: Proposed rule for too many dots in From

On Jan 15, 2019, at 8:46 AM, John Hardin wrote: > >> On Dec 20, 2018, at 6:16 PM, Amir Caspi wrote: >>> >>> header AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/ > > Argh. I lost track of that over the holidays. Thanks for the reminder, adding > it now. Anything interesting

Re: Proposed rule for too many dots in From

On Mon, 14 Jan 2019, Amir Caspi wrote: On Dec 20, 2018, at 6:16 PM, Amir Caspi wrote: header AC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/ John, could you update the sandbox rule to the above? That should whittle down FPs. I'd recommend leaving it as 2 letters, though, since a

Re: Proposed rule for too many dots in From

On Dec 20, 2018, at 6:16 PM, Amir Caspi wrote: > > headerAC_FROM_MANY_DOTS From =~ /<(?:\w{2,}\.){2,}\w+@/ > > John, could you update the sandbox rule to the above? That should whittle > down FPs. I'd recommend leaving it as 2 letters, though, since a number of > spammy

Re: Proposed rule for too many dots in From

On Thu, 20 Dec 2018 21:12:33 -0700 Grant Taylor wrote: > On 12/20/18 8:34 PM, Grant Taylor wrote: > > I'm going back through and analyzing how I'm extracting data and > > trying to satisfactorily explain some oddities. > > Out of 244,921 messages there are 16,528 unique addresses, this is >

Re: Proposed rule for too many dots in From

On 12/20/18 8:34 PM, Grant Taylor wrote: I'm going back through and analyzing how I'm extracting data and trying to satisfactorily explain some oddities. Out of 244,921 messages there are 16,528 unique addresses, this is how the messages break down for Here's how the dots in the user parts

Re: Proposed rule for too many dots in From

On 12/20/18 8:36 PM, Benny Pedersen wrote: and xxx is a real tld, Yes. so you ddos maillist members now How so? -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature

Re: Proposed rule for too many dots in From

Grant Taylor skrev den 2018-12-21 03:49: Note: These are what I considered legitimate enough to keep in my mail structure. I don't keep spam for very long. This corpus goes back to 2001. and xxx is a real tld, so you ddos maillist members now

Re: Proposed rule for too many dots in From

On 12/20/18 7:54 PM, Amir Caspi wrote: Some of the ones with equal-signs look like bounce addresses from envelopes, that would not be in the From header. I'm going back through and analyzing how I'm extracting data and trying to satisfactorily explain some oddities. I don't think there will

Re: Proposed rule for too many dots in From

On 12/20/18 7:54 PM, Amir Caspi wrote: Are these in the From: header or the envelope-from (Return-Path)? These are all the From: header. Some of the ones with equal-signs look like bounce addresses from envelopes, that would not be in the From header. Or did you just look for any email

Re: Proposed rule for too many dots in From

On Dec 20, 2018, at 7:49 PM, Grant Taylor wrote: > > So here's the user parts (left hand side of the @) of emails. Are these in the From: header or the envelope-from (Return-Path)? Some of the ones with equal-signs look like bounce addresses from envelopes, that would not be in the From

Re: Proposed rule for too many dots in From

On 12/20/18 7:36 PM, Grant Taylor wrote: I don't know.  I'm re-running the command to scan my mailbox extracting From: addresses.  (I'm logging to a file this time.)  I'll do some analysis and let you know. I don't know what sort of characterization you may want. So here's the user parts

Re: Proposed rule for too many dots in From

On 12/20/18 6:16 PM, Amir Caspi wrote: I never intended for the rule to be applied on its own, but far more likely that it would become part of a meta rule with other spammy indicators. Ah. That makes more sense. That being said, it is your server and you're free to run it however you

Re: Proposed rule for too many dots in From

On Dec 20, 2018, at 5:13 PM, Noel Butler wrote: > I have to agree with Grant, two dots is crazy low, you might as well score at > one dot. A lot of emails are firstname.initial.surname even many government > departments in this part of the world use two dot format. > I never intended for the

Re: Proposed rule for too many dots in From

On 21/12/2018 09:52, Grant Taylor wrote: > On 12/20/2018 03:11 PM, Amir Caspi wrote: > >> Two or more dots in the From username seems to be rather spammy (and we've >> talked about it before on the list). > > I feel obligated to comment that my wife's email address (Gmail) has two dots > in

Re: Proposed rule for too many dots in From

On 12/20/2018 03:11 PM, Amir Caspi wrote: Two or more dots in the From username seems to be rather spammy (and we've talked about it before on the list). I feel obligated to comment that my wife's email address (Gmail) has two dots in it. (Gmail is it's own can of worms for dots as they

Re: Proposed rule for too many dots in From

On Thu, 20 Dec 2018, Amir Caspi wrote: John, would you mind sandboxing a rule? Two or more dots in the From username seems to be rather spammy (and we've talked about it before on the list). Would you mind sandboxing this test rule to see if it would be helpful as a main rule? I

Proposed rule for too many dots in From

John, would you mind sandboxing a rule? Two or more dots in the From username seems to be rather spammy (and we've talked about it before on the list). Would you mind sandboxing this test rule to see if it would be helpful as a main rule? I get a lot of spam locally that hits this...