EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 23 Feb 2007, 12:00 AM   #1
ao1
Essential Contributor
 
Join Date: Oct 2003
Posts: 299
Over-aggressive SpamAssasin rules?

One of the newsletters I subscribe to just got tagged with an abnormally high spam score:
Code:
X-Sieve: CMU Sieve 2.3
X-Spam-score: 9.9
X-Spam-hits: BAYES_50 0.001, FORGED_RCVD_HELO 0.135, HOT_NASTY 0.157, HTML_30_40 0.374,
  HTML_MESSAGE 0.001, ME_GEOCITIES 1, ME_GEOCITIES_MANY 6,
  MIME_HTML_MOSTLY 1.102, SPF_FAIL 1.142
The culprit is " ME_GEOCITIES_MANY 6 " and it seems that it was triggered by a single line containing a link to Geocities:
Code:
<A HREF="http://www.geocities.com/ResearchTriangle/Lab/1131/eng/safe.html" TARGET="other">
http://www.geocities.com/ResearchTriangle/Lab/1131/eng/safe.html</A>
Now, why would FM assign such a high score (6) to a Geocities link? I know it is a favourite spam hosting but there are legitimate users as well.

Rob, if you're reading it, please lower that score to something reasonable or, even better, adjust the SpamAssasin rule to not trigger on two URLs within a single <A HREF>.

Thank you.
ao1 is offline   Reply With Quote

Old 23 Feb 2007, 02:32 PM   #2
robmueller
Intergalactic Postmaster
 
Join Date: Oct 2001
Location: Melbourne, Australia
Posts: 6,102

Representative of:
Fastmail.FM
It was a bunch of rules I added a while back to catch the bloody geocities "watch" spam and other related stuff that was flooding inboxes for a while and ******* people off.

Here's the complete ruleset I added. Yes, it's all pretty arbitrary, but it did the job.

Code:
uri ME_GEOCITIES /\.geocities\./i
score ME_GEOCITIES 1.00

body __ME_GEOCITIES_WATCH /\b(?:watch|tag h[uer]+\b|cart[ier]+\b|wristwatch)/i
score __ME_GEOCITIES_WATCH 0.05
body __ME_GEOCITIES_CHRONO /\b(?:chronometers?|timekeepers?)\b/i
score __ME_GEOCITIES_CHRONO 0.05
body __ME_GEOCITIES_TIMEPIECE /\b(?:time ?pieces?|masterpieces?|swiss)\b/i
score __ME_GEOCITIES_TIMEPIECE 0.05
body __ME_GEOCITIES_CHIC /\b(?:chic|stainless steel|studded diamond|classic one|precious beauties|utterly delighted|sheer elegance|elegent|fashion|opulent|vogue)\b/i
score __ME_GEOCITIES_CHIC 0.05
body __ME_GEOCITIES_APPAREL /\b(?:apparel|accoutrements|)\b/i
score __ME_GEOCITIES_APPAREL 0.05

meta __ME_GEOCITIES_WATCHTERM (__ME_GEOCITIES_WATCH*2 + __ME_GEOCITIES_CHRONO*3 + __ME_GEOCITIES_TIMEPIECE*2 + __ME_GEOCITIES_CHIC*2 + __ME_GEOCITIES_APPAREL*2) >= 3
score __ME_GEOCITIES_WATCHTERM 0.05

body __ME_GEOCITIES_PRESCRIPTIONS /\b(?:prescriptions?)\b/i
score __ME_GEOCITIES_PRESCRIPTIONS 0.05
body __ME_GEOCITIES_DRUG /\b(?:drugs?|medical|remedy|health issues?|meds)\b/i
score __ME_GEOCITIES_DRUG 0.05

meta __ME_GEOCITIES_DRUGTERM (__ME_GEOCITIES_PRESCRIPTIONS*2 + __ME_GEOCITIES_DRUG*2) >= 2
score __ME_GEOCITIES_DRUGTERM 0.05

body __ME_GEOCITIES_DISCOUNT /\b(?:discount|min costs?|cost[- ]conscious|afford it|reasonable price|less money|spending less|bargain|economical|worry.{1,15}bills)/i
score __ME_GEOCITIES_DISCOUNT 0.05
body __ME_GEOCITIES_SATISFACTION /\b(satisfaction|satisfied|money[- ]back)\b/i
score __ME_GEOCITIES_SATISFACTION 0.05
body __ME_GEOCITIES_INVENTORY /\binventory\b/i
score __ME_GEOCITIES_INVENTORY 0.05
body __ME_GEOCITIES_SAFE /\b(safe|best service)\b/i
score __ME_GEOCITIES_SAFE 0.05
body __ME_GEOCITIES_AFFORDABLE /\bafford(?:able)\b/i
score __ME_GEOCITIES_AFFORDABLE 0.05
body __ME_GEOCITIES_STORE /\bstore\b/i
score __ME_GEOCITIES_STORE 0.05
body __ME_GEOCITIES_SHIP /\b(shipped|world wide)\b/i
score __ME_GEOCITIES_SHIP 0.05

meta __ME_GEOCITIES_MONEYTERM (__ME_GEOCITIES_DISCOUNT || __ME_GEOCITIES_SATISFACTION || __ME_GEOCITIES_INVENTORY || __ME_GEOCITIES_SAFE || __ME_GEOCITIES_AFFORDABLE
 || __ME_GEOCITIES_STORE || __ME_GEOCITIES_SHIP)
score __ME_GEOCITIES_MONEYTERM 0.05

meta ME_GEOCITIES_MANY ME_GEOCITIES && (__ME_GEOCITIES_WATCHTERM || __ME_GEOCITIES_DRUGTERM) && __ME_GEOCITIES_MONEYTERM
score ME_GEOCITIES_MANY 6.0
So to hit the rule, it has to have all of

1. A geocities link in it
2. A "watch" term or a "drug" term
3. A "money" term

I wonder what was in your newsletter that triggered it?

Rob
robmueller is offline   Reply With Quote
Old 23 Feb 2007, 11:45 PM   #3
ao1
Essential Contributor
 
Join Date: Oct 2003
Posts: 299
Quote:
Originally posted by robmueller
It was a bunch of rules I added a while back to catch the bloody geocities "watch" spam and other related stuff that was flooding inboxes for a while and ******* people off.

Here's the complete ruleset I added. Yes, it's all pretty arbitrary, but it did the job.
Still 6.0 is a disproportinally large score.

Quote:
Originally posted by robmueller
I wonder what was in your newsletter that triggered it?[/b]
See for yourself:
http://techsupportalert.com/issues/issue142.htm

Incidently, I have rules based on individual SA tags.
It would help if you could make your SA config available so I could check the criteria for those tags.

For example, one email that I got was marked with KAM_STOCKOTC and STRONG_BUY. I could not find the actual rules for these tags anywhere on the web.

Finally, quite a lot of email that I get (spam and non-spam) is marked with FORGED_RCVD_HELO.
A quick google check produced this:
http://www.mailarchives.org/list/spa...msg/2003/00001
ao1 is offline   Reply With Quote
Old 26 Feb 2007, 02:12 PM   #4
robmueller
Intergalactic Postmaster
 
Join Date: Oct 2001
Location: Melbourne, Australia
Posts: 6,102

Representative of:
Fastmail.FM
I've reduced the score, but it should be pretty easy to add the From address of the newsletter to your address book to whitelist it as well.

Rob
robmueller is offline   Reply With Quote
Old 26 Feb 2007, 02:15 PM   #5
robmueller
Intergalactic Postmaster
 
Join Date: Oct 2001
Location: Melbourne, Australia
Posts: 6,102

Representative of:
Fastmail.FM
All the scores we use are pretty standard. Either their base SA ones, or ones from sa-update, or from the SARE repository. Any ones we add ourselves we always prefix them with ME_

Rob
robmueller is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 12:58 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy