Some of legitimate mails here are being hit with rather high KAM_OCTET_PHISH=3
it seems to trigger when I have both text/html and application/octet-stream MIME parts. reduced/sanitized example at: https://pastebin.com/D4vqKnLC It seems to be multi-rule meta, but all those sub-rules seem to check for mostly the same two things to my untrained eye: mimeheader T_OBFU_HTML_ATTACH Content-Type =~ m,\bapplication/octet-stream\b.+\.s?html?\b,i mimeheader __KAM_VM5 Content-Type =~ /.s?html?\.?\"?($|;)/i mimeheader __KAM_OCTET_PHISH1 Content-Type =~ /application\/octet-stream/i meta KAM_OCTET_PHISH ( __KAM_OCTET_PHISH1 + ( __KAM_VM5 + T_OBFU_HTML_ATTACH >= 1) >= 2 ) describe KAM_OCTET_PHISH HTML File with the wrong MIME Type score KAM_OCTET_PHISH 3.0 That is on Debian Bullseye spamassassin 3.4.6-1 (with extra KAM rulesets). Can someone shed a light what is happening here, and is it supposed to be happening? -- Opinions above are GNU-copylefted.
