On 8/20/2021 6:23 AM, Matus UHLAR - fantomas wrote:
it seems that some TLD rules catch strings that are not domains:
* 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs
* [URI: ups.mfr.date (date)]
* 5.0 KAM_SOMETLD_ARE_BAD_TLD .stream, .trade, .pw, .top, .press,
* .guru, .casa, .online, .cam, .shop, .club & .date TLD
Abuse
On 20.08.21 12:56, Kenneth Porter wrote:
The KAM rule was just recently fixed. If you have an example that's
still tripping it, post it to a pastebin and share the link here.
This version has the revised rule: 1629386681
Look in this file for the version:
/var/lib/spamassassin/3.004004/kam_sa-channels_mcgrail_com.cf
FYI I received another mail from the same list and it doesn't look like the
problem has been solved (updated KAM to check)
https://alioth-lists.debian.net/pipermail/nut-upsuser/2021-August/012540.html
I will report it to KAM (as documented by kam.cf) later.
header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
meta KAM_SOMETLD_ARE_BAD_TLD (__KAM_SOMETLD_ARE_BAD_TLD_FROM) ||
(__KAM_SOMETLD_ARE_BAD_TLD_URI && !__KAM_SOMETLD_ARE_BAD_TLD_URI_NEGATIVE)
Aug 24 14:33:29.567 [14949] dbg: rules: uri host enlisted (SUSP_URI_NTLD):
battery.date (date)
Aug 24 14:33:29.568 [14949] dbg: rules: ran eval rule PDS_OTHER_BAD_TLD ======>
got hit (1)
Aug 24 14:33:30.866 [14949] dbg: rules: ran uri rule __KAM_SOMETLD_ARE_BAD_TLD_URI
======> got hit: "://battery.date"
...there's no :// in the original mail, perhaps added by SA preprocessing?
My original intent was only focused on the battery.date{,.maintenance}.
al intent was only focused on the battery.date{,.maintenance}.</div><div>Ho=
these two are somehow redundant.
uri __KAM_SOMETLD_ARE_BAD_TLD_URI
/:\/{2}([a-z0-9-\.]+)\.(pw|stream|trade|press|top|date|guru|casa|online|cam|shop|club|bar)($|\/|\:)/i
header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
enlist_uri_host (SUSP_URI_NTLD) icu
enlist_uri_host (SUSP_URI_NTLD) online
enlist_uri_host (SUSP_URI_NTLD) work
enlist_uri_host (SUSP_URI_NTLD) date
enlist_uri_host (SUSP_URI_NTLD) top
enlist_uri_host (SUSP_URI_NTLD) fun
enlist_uri_host (SUSP_URI_NTLD) life
enlist_uri_host (SUSP_URI_NTLD) review
enlist_uri_host (SUSP_URI_NTLD) xyz
enlist_uri_host (SUSP_URI_NTLD) bid
enlist_uri_host (SUSP_URI_NTLD) stream
enlist_uri_host (SUSP_URI_NTLD) site
enlist_uri_host (SUSP_URI_NTLD) space
enlist_uri_host (SUSP_URI_NTLD) gdn
enlist_uri_host (SUSP_URI_NTLD) click
enlist_uri_host (SUSP_URI_NTLD) world
enlist_uri_host (SUSP_URI_NTLD) fit
enlist_uri_host (SUSP_URI_NTLD) ooo
enlist_uri_host (SUSP_URI_NTLD) faith
enlist_uri_host (SUSP_URI_NTLD) buzz
enlist_uri_host (SUSP_URI_NTLD) trade
enlist_uri_host (SUSP_URI_NTLD) cyou
enlist_uri_host (SUSP_URI_NTLD) vip
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
