spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hardin <jhar...@impsec.org>
Subject Re: Rule HK_SCAM is triggered by standard business email
Date Wed, 01 Jul 2020 19:52:10 GMT
On Wed, 1 Jul 2020, Aner Perez wrote:

> I opened a bug (7832) about this but was told to report on the SA users 
> mailing list instead.
>
> The attached email is an example which triggers the HK_SCAM rule.  Looks like 
> __HK_SCAM_S7 is the culprit here since it matches the words "business" and 
> "enterprise" when they are found one after the other (even on different 
> lines).
>
> In the real world this was triggered by a business email that had the 
> following in the signature:
>
> FirstName LastName
> Altice Business
> Enterprise Account Executive

What was the *overall* score of that message? Was this rule enough to push 
the message over the spam threshold (5 points)? Or was the message still 
scored as ham?

It looks like to me like the logic in __HK_SCAM_S7 is a little off...

/(?:(?:investment|proposed|lucrative) (?:business|venture)|(?:business|venture) (?:enterprise|propos(?:al|ition)))/i

seems like it should be:

/(?:(?:investment|proposed|lucrative) (?:business|venture)|(?:business|venture|enterprise)
propos(?:al|ition))/i

...but I'll let Henrik comment.


Potentially, making it a rawbody rule might avoid this FP without 
affecting its performance against the targeted spams...


For future reference: sending a sample email to the list as a bare 
attachment is problematic, as it may be altered en-route and thus 
invalidate any meaningful analysis. It's better to attach it as a 
zip/gzip, or to upload it to someplace like Pastebin and just post the URL 
to it here. (In this case, your description should probably be enough to 
figure it out without the sample so you shouldn't need to do that unless 
someone explicitly asks you to do so.)



-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   The philosophy of gun control: Teenagers are roaring through
   town at 90MPH, where the speed limit is 25. Your solution is to
   lower the speed limit to 20.                           -- Sam Cohen
-----------------------------------------------------------------------
  3 days until the 244th anniversary of the Declaration of Independence

Mime
View raw message