On Fri, 20 Aug 2021 14:16:14 -0700 Kenneth Porter wrote: > On 8/20/2021 1:53 PM, Greg Troxel wrote: > > I just had it falsely hit, in that it triggered on mail that was > > ham. There was a .club URL, but it was to a club website mentioned > > in mail that I actually agreed to get and that was on topic. > > > > So I would suggest that rules that do not show actual evidence of > > spam, but merely "other people have abused things that seem like > > you", be limited to 2 or 3 points. > > That's a different issue, a matter of policy. The rule correctly > identified a uri with the "bad" domain but the score is moreĀ than > you want. I addressed that by adding my own score in > /etc/mail/spamassassin/KAM-tweaks.cf.
The problem is that overlap between the core and KAM rules can make it difficult to come-up with a sane value. The same applies to the various TLD core rules too. The core rules handle TLDs quite badly because they treat the URI and address versions as independent indicators even though they obviously aren't. In particular the author domain commonly leaks into the URI list via a DKIM signature. The combined URI and address KAM rule is a better approach, but it's overlapping with the core rules. Personally I'm not happy about treating URI hits as the equal of address hits. For one thing the URI list isn't designed to be reliable. For another, while there's a wide understanding that abused TLDs shouldn't be used in email addresses, there's less of a consensus about websites, and email users don't care at all about what TLDs they link to. My preference would be to score the URI only if there is no address hit, and at a lower score.
