On Mon, 2018-12-10 at 13:09 -0500, Bill Cole wrote: > On 9 Dec 2018, at 18:23, Chris Pollock wrote: > > > On Sun, 2018-12-09 at 13:06 -0500, Bill Cole wrote: > > > On 9 Dec 2018, at 12:04, Chris Pollock wrote: > > > > > > > This is probably very trivial and doesn't affect anything > > > > except > > > > maybe > > > > the size of the headers but I have to ask. When looking at the > > > > headers > > > > of some ham I noticed - https://pastebin.com/H7euxqVX the two > > > > rules > > > > I > > > > mention above are in 72_active.cf. Is there a reason for the > > > > number > > > > of > > > > times it's listed? Couldn't each subtest be listed just once > > > > instead > > > > of > > > > multiple times? > > > > > > Not with the current documented behavior of the code, given the > > > way > > > those sub-rules are designed to work together. The goal is to > > > identify > > > messages which use Latin-script 'e' characters but also use many > > > non-Latin-script characters which look like 'e' but are not. To > > > make > > > this determination, the rules require the 'multiple' flag without > > > a > > > cap > > > on thne number of matches which a 'maxhits' parameter would set. > > > > Got it, thanks Bill. I've never noticed this before. I also noticed > > that according to my daily sa-update output this subtest is > > apparently > > new or at least it didn't appear in the output until this past Fri. > > Correct. See the thread with the subject "No longer just embedded =9D > characters in blackmail emails" here last week for the background. > > > > > > > It is not recommended to routinely add the list of matched sub- > > > rules > > > to > > > scanned messages. > > > > > > > Any specific reason why? This is just on my home system. > > It's got the potential to be VERY noisy (as you've discovered) while > not really providing much useful info. Not a big deal on a small > system. > I could just go through and comment out this line in my local.cf add_header all Subtest Ran _SUBTESTS(,)_ but I periodically like to see what's going on.
> > Anyway, as of today I've capped those 2 subrules at levels which > leave ample space to still match the target spam. Should show up in > tomorrow's update. Thanks Bill, I'll see how it looks after today's update. -- Chris KeyID 0xE372A7DA98E6705C 31.11972; -97.90167 (Elev. 1092 ft) 08:51:45 up 3 days, 13:15, 1 user, load average: 0.27, 0.59, 0.64 Description: Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic
signature.asc
Description: This is a digitally signed message part
