On Sat, 14 Dec 2024, Bill Cole wrote:
On 2024-12-13 at 06:53:59 UTC-0500 (Fri, 13 Dec 2024 12:53:59 +0100)
Kirill A. Korinsky <kir...@korins.ky>
is rumored to have said:
Dear SA users,
I'd like to share with you a patch which allows me to catch an offering
SEO
spam which I've encountered in my INBOX quite a few missed for last weeks.
Changes:
1. adds .xyz as suspicious zone because namecheap sells this domain for
~€1;
That's not (in itself) enough for use to include it in that list.
See https://ruleqa.spamassassin.org/20241207-r1922358-n/%2FTLD_XYZ
That shows the performance of a rule that has been in testing for some time
which matches any *.xyz address in the From header. It routinely scores in
the 0.7-0.8 range on the "S/O" ratio, indicating that roughly 1 in every 4
messages that it matches is NOT spam. That is too high for inclusion in the
default "suspicious TLD" list.
What level would you consider acceptable?
Obviously, any SA deployment can add enlist* directives to add .xyz to one or
both lists
2. extends PDS_SEO2 regex to catch that spam.
Because that's a "sandbox" rule in the sandbox of Paul Stead, it is prudent
and courteous to get his input on this. I hope he is still reading this list.
I checked quickly before proceeding with this. He hasn't committed
anything to his sandbox in four years, including bugfixes, so I assumed he
wasn't still actively maintaining his sandbox.
I'll be happy to back out those changes if consensus is they aren't
reasonable.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Tomorrow: Bill of Rights day
