* Loren Wilton wrote (24/12/2005 00:23):
>> Does anyone have any suggestions, apart from simply reducing the score
>> for SARE_URI_EQUALS? Is this a spamassassin bug, or is there no way to
>> guarantee that only real uris are parsed as such?
>
> Several.
Hi. Thanks for the response. I'm replying
>...
>List Mail User wrote on Mon, 26 Dec 2005 16:46:00 -0800 (PST):
>
>> How about the case of "http=3A=2F=2Fwww=2Ecnn=2Ecom=2F2003=2F"
>> inside of HTML? i.e. http://www.cnn.com/2003/ - from a "phishing spam",
>> the full line was:
>
>You mean it displayed like this in the mail agent *after*
List Mail User a écrit :
>
> How about the case of "http=3A=2F=2Fwww=2Ecnn=2Ecom=2F2003=2F"
> inside of HTML? i.e. http://www.cnn.com/2003/ - from a "phishing spam",
> the full line was:
>
> =3Chttp=3A=2F=2Fwww=2Ecnn=2Ecom=2F2003=2FWORLD=2Fafrica=2F07=2F20=2Fkenya=2Ecrash=2Findex=2Ehtml=3
On Tue, Dec 27, 2005 at 09:17:09PM +0100, mouss wrote:
> are you sure? my understanding is that query part must be in the
> url-path, so must come after at least one slash. something like
I don't know about "=bar", but if it were "?bar", many browsers will assume
there's supposed to be a "/" befor
Kai Schaetzl a écrit :
> Mouss wrote on Tue, 27 Dec 2005 00:04:34 +0100:
>
>
>>Is foo.tld=bar a valid hostname part in a URI?
>
>
> "foo.tld=bar" is a valid URL with "foo.tld" being the hostname and "=bar"
> being the query part.
>
are you sure? my understanding is that query part must be in
List Mail User wrote on Mon, 26 Dec 2005 16:46:00 -0800 (PST):
> How about the case of "http=3A=2F=2Fwww=2Ecnn=2Ecom=2F2003=2F"
> inside of HTML? i.e. http://www.cnn.com/2003/ - from a "phishing spam",
> the full line was:
You mean it displayed like this in the mail agent *after* Q decoding a
Mouss wrote on Tue, 27 Dec 2005 00:04:34 +0100:
> Is foo.tld=bar a valid hostname part in a URI?
"foo.tld=bar" is a valid URL with "foo.tld" being the hostname and "=bar"
being the query part.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactiv
>...
>Is foo.tld=bar a valid hostname part in a URI? I doubt that. now, would
>a MUA show that as a URI followed by "bar"?
>
>I think that SA should provide an option to enable/disable:
>uri_broken_mua, so that people not caring for "broken" MUAs can avoid
>such false positives.
>
How abou
>...
Mouss,
>List Mail User a écrit :
>> updated.by - check http://www.tld.by/cgi-bin/registry.cgi
>>
>> You'll see that update.by is a registered domain! Therefore
>> "updated.by" is indeed a URI. QED
>
>the question is: if foo.example-DEMUNGED is listed in uribl/surbl, does
>
Loren Wilton a écrit :
>>Does anyone have any suggestions, apart from simply reducing the score
>>for SARE_URI_EQUALS? Is this a spamassassin bug, or is there no way to
>>guarantee that only real uris are parsed as such?
>
>
> Several.
>
> 1.Change your report generator to remove the extrane
List Mail User a écrit :
> updated.by - check http://www.tld.by/cgi-bin/registry.cgi
>
> You'll see that update.by is a registered domain! Therefore
> "updated.by" is indeed a URI. QED
the question is: if foo.example-DEMUNGED is listed in uribl/surbl, does
that make it a bad string i
> Does anyone have any suggestions, apart from simply reducing the score
> for SARE_URI_EQUALS? Is this a spamassassin bug, or is there no way to
> guarantee that only real uris are parsed as such?
Several.
1.Change your report generator to remove the extraneous dot between
updated and by. O
Hello Chris,
Friday, December 23, 2005, 3:04:29 AM, you wrote:
CL> I'm getting false positives for SARE_URI_EQUALS, which scores 5 and is
CL> therefore skewing the scoring of some mail quite badly. ...
CL> Does anyone have any suggestions, apart from simply reducing the
CL> score for SARE_URI_EQ
updated.by - check http://www.tld.by/cgi-bin/registry.cgi
You'll see that update.by is a registered domain! Therefore
"updated.by" is indeed a URI. QED
Paul Shupak
[EMAIL PROTECTED]
* jdow wrote (23/12/05 12:06):
> From: "Chris Lear" <[EMAIL PROTECTED]>
>>* jdow wrote (23/12/05 11:26):
>>> From: "Chris Lear" <[EMAIL PROTECTED]>
>>>
I'm getting false positives for SARE_URI_EQUALS, which scores 5 and is
therefore skewing the scoring of some mail quite badly.
The
From: "Chris Lear" <[EMAIL PROTECTED]>
* jdow wrote (23/12/05 11:26):
From: "Chris Lear" <[EMAIL PROTECTED]>
I'm getting false positives for SARE_URI_EQUALS, which scores 5 and is
therefore skewing the scoring of some mail quite badly.
The weird thing is that the uris that spamassassin is comp
* jdow wrote (23/12/05 11:26):
> From: "Chris Lear" <[EMAIL PROTECTED]>
>
>> I'm getting false positives for SARE_URI_EQUALS, which scores 5 and is
>> therefore skewing the scoring of some mail quite badly.
>> The weird thing is that the uris that spamassassin is complaining about
>> aren't uris a
From: "Chris Lear" <[EMAIL PROTECTED]>
I'm getting false positives for SARE_URI_EQUALS, which scores 5 and is
therefore skewing the scoring of some mail quite badly.
The weird thing is that the uris that spamassassin is complaining about
aren't uris at all. The mail in question is auto-created r
18 matches
Mail list logo
