Re: Drastic reduction in Phishing scores from 2.63 -> 3.01?

24 Nov 2004 00:44:13 -0000

On Nov 23, 2004, at 1:05 PM, [EMAIL PROTECTED] wrote:
Greg Earle wrote:
2 identical Phishing scams came in yesterday:
...
My 2.63 production machine scored them at 11.5:
... 
I'm sure the "ALL_TRUSTED" isn't helping any, but that doesn't
completely explain the 6.2 drop in score.  Did all the tests
that are common to the two scores/versions get lowered scores
or something?!?

In a word: Bayes. Both messages triggered BAYES_99 on your 2.63 system, and neither triggered any Bayes rules on your 3.01 system. Mainly you need to train the Bayes database on your testbed machine. 

<*Smacks forehead*>  Oh, duh.  I didn't even notice that.  Riding
the short bus today, clearly ... thanks for pointing that out.
(The Testbed machine with 3.0.1 hasn't had any Bayes training yet,
 obviously :-) )

AWL also showed up in your 2.63 results. 

Yeah.  No clue as to why that showed up in one result and not the
other.  Not only do I not have that domain/sender in AWL, the two
Phish e-mails are identical!  <*Scratches head*>

As for tackling phishing, I recommend installing the SARE_SPOOF ruleset. It does a good job of catching a lot of these. 

Grabbed it.  (OK, I'll bite - why isn't this and the other sare_*
rulesets in the default 3.0.1 rules?)

On Nov 23, 2004, at 2:20 PM, [EMAIL PROTECTED] wrote:

I'm sure the "ALL_TRUSTED" isn't helping any, but that doesn't
completely explain the 6.2 drop in score.


The ALL_TRUSTED is likely a misconfiguration, or, more specifically,
a lack of required configuration.  That's a pretty heavy impact on the
score that you can fix easily. At -3.3 it's half of your "problem".

 If you have a NATed mailserver, you MUST set trusted_networks
manually.  SA cannot reasonably decipher where network borders are in
all cases, and assumes that the first non-reserved IP is your border
MX.  However, if your mailserver is NATed, this causes SA to trust an
outside host.  Not good.


Neither mailserver is NAT'ed.  What could I have misconfigured?

Bayes also seems to be missing from your 3.0 results. That's another heavy hit. The originals hit BAYES_99, this missed entirely. That's 1.88 points of hit using 3.x scores. 

Yup.  I am retarded.  Sorry for the noise ...

        - Greg

Reply via email to