I was surprised to see KAM_SOMETLD_ARE_BAD_TLD hit as a false positive. The file was a DNS domain transfer file that someone emailed as part of a security bug report.
To trigger the false positive include the following. In the real world case this was in a dns zone file that was sent as an attachment. But I find that simply having it in the mail message body is sufficient. foo IN A 127.0.0.1 I must obscure it here or it will trigger on the KAM rules. Change the above foo to be the www DOT press in the obvious way that I am trying to obscure it but still communicate it. Then it will hit on the this rule. 5.0 KAM_SOMETLD_ARE_BAD_TLD ... I downgraded the score to 0.01 so I could track it but it is obviously too agressive of a test at a full 5 points if it is hitting on data in attachments. Enjoy! :-) Bob
