On Fri, 13 Apr 2018, John Hardin wrote:

On Fri, 13 Apr 2018, Giovanni Bechis wrote:

On 04/13/18 09:06, Sebastian Arcus wrote:
Hello all. I am getting some fp's with emails from QuickBooks / Intuit with the above rule:

Apr 13 08:00:30.853 [5768] dbg: rules: ran uri rule URI_TRY_3LD ======> got hit: "https://myturbotax.intuit.com";

On a slightly different note, and mainly for my curiosity to understand SA rules syntax, in 72_active.cf, the score seems to be commented out:

#score       URI_TRY_3LD       2.000   # limit

But when it hits, it still adds 2.0 to the score (and I haven't customized the score anywhere else). Is this a special form of SA syntax?

the score is present in rulesrc/sandbox/jhardin/20_misc_testing.cf with tflags publish.

When a "score" line is present in a sandbox, that means the masscheck score assignment process will limit the score it calculates to that.

If it's commented out or not present, then the masscheck process can assign however high a score it likes based on the rule's performance against the masscheck corpora.

I'll take a look at that rule, I don't remember offhand what I intended it for.

It's fairly broad, intended to hit things like "tryviagra.mumble.com". It's hitting on the "my" prefix on the hostname. I'll add an exclusion.

 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  How do you argue with people to whom math is an opinion? -- Unknown
 Today: Thomas Jefferson's 275th Birthday

Reply via email to