Hi Kenneth, the ruleset is designed for a system scoring over 5.0. Did the rule from the cell provider cause an fp?
Is your threshold higher than 5.0? There is a way to report problems listed in the file but feel free to contact me off list and I'll tell you how to send me a sample. Regards, KAM On Tue, Aug 10, 2021, 22:00 Kenneth Porter <[email protected]> wrote: > My cellular supplier has a weekly bag of goodies (coupons, schwag) and > last > week's included a free photo refrigerator magnet from CVS. So I signed up > a > CVS/Kodak account to put in my order. Like most such offers, they start > sending me marketing mail, and the first one hit KAM_SOMETLD_ARE_BAD_TLD, > with a 5.0 score. I'll be turning that score down (probably to 3.5) but I > think the rule itself is the issue. It's firing on a uri that has dot shop > as the last part of the path in a legitimate dotcom uri. Perhaps the rule > can check for the absence of a single slash before the offending TLD. > There's a helper rule that checks for false positives that could be > replaced with one that ignores TLDs after an isolated slash in a uri. > > Do the KAM rules have an issue tracker where this kind of report can be > made? > > The rule: > > header __KAM_SOMETLD_ARE_BAD_TLD_FROM From:addr =~ > /\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|b > uri __KAM_SOMETLD_ARE_BAD_TLD_URI > > /\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)($|\/)/i > > #FPs > uri __KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE > /(^|\b)td\.date|div\.top($|\/)/i > > meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) || > (__KAM_SOMETLD_ARE_BAD_TLD_URI && !__KAM_SOMETLD_ARE_BAD_TLD > describe KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, > .press, .guru, .casa, .online, .cam, .shop, .bar, .club & .d > score KAM_SOMETLD_ARE_BAD_TLD 5.0 > >
