On Wed, 28 Apr 2010, Kris Deugau wrote:
Michael Scheidell wrote:
On 4/28/10 3:13 PM, Kris Deugau wrote:
> 0.0 TO_EQ_FM_HTML_ONLY To == From and HTML only
> 0.0 TO_EQ_FM_DIRECT_MX To == From and direct-to-MX
> 1.7 TO_EQ_FM_HTML_DIRECT To == From and HTML only, direct-to-MX
so. its also obviously bulk email.
I don't know how these rules positively identify a message as "bulk". Taking
them at face value, they certainly represent "not following best-practices".
<checking> Hmm. I'm not even sure how they fired; the From and To are bare
email addresses, and most certainly do NOT match.
There was a bug in handling bare addresses in the first version of those
rules, which has since been fixed. Unfortunately sa-update hasn'tpublished
the update yet - so I'm off to the dev list. Sorry!
I'd set their scores to zero unti sa-update published the new ones. When
that occurs I'll announce here.
Those rules also seem to be relatively recent (within ~1 month), since
my workstation/test system didn't have them until I ran sa-update.
They were auto-promoted from my sandbox.
Our live systems get updated much more frequently (SOUGHT rules daily,
others usually as I roll out updates for local rules).
I don't see anything obviously wrong with the root From == To meta subrules:
header __TO_EQ_FROM_1 ALL =~
/\nFrom:[^\n<]{0,80}<?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*To:[^\n]+\1/ism
header __TO_EQ_FROM_2 ALL =~
/\nTo:[^\n<]{0,80}<?([^\n\s>]+)>?\n(?:[^\n]{1,100}\n)*From:[^\n]+\1/ism
They assume a human-readable comment and angle brackets are present on
whichever header appears first, which was erroneous.
but they (_1 in this case) still match on:
From: mortga...@ingdirect.ca
To: u...@vianet.ca
.... sometimes. Eeep.
Right.
I really hope I can get permission from the customer to at least pass the
original on to one of the SA devs;
As far as TO_EQ_FM is concerned, that's not necessary. The bug isfixed,
it's just the auto-update mechanism is wedged for some reason.
copy-pasting the headers into an empty file, and slowly removing one at
a time caused some very *odd* changes in behaviour. For instance,
removing the original Subject: line (or altering it in certain ways)
apparently controlled whether the relevant subrule above matched or not,
no matter *what* was in the To or From (mostly).
Well, there _is_ a size limit on what will be accepted between those two
headers, so other headers _can_ affect whether it will hit.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The Constitution is a written instrument. As such its meaning does
not alter. That which it meant when adopted, it means now.
-- U.S. Supreme Court
SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905)
-----------------------------------------------------------------------
9 days until the 65th anniversary of VE day
