Jason Haar writes: > We are getting heaps of false positives off these rules - ironically > mainly from our IT services dealers/sellers/etc. > > Since upgrading from SA-3.1* to 3.2.0, we have discovered that it > appears most small New Zealand businesses run mail servers on DSL links > with PTR records of the format "NN-NN-NN-NN.isp.carrier.nz". Hence they > end up with 2.2 points > (FH_HOST_EQ_D_D_D_D,FH_HOST_EQ_D_D_D_DB,RDNS_DYNAMIC) added without any > real effort. That plus their sputty HTML mails pushes them into the 5-7 > range. > > I know SA isn't really doing anything wrong, but are people in other > countries seeing this too? If so, it may imply the default scores are > too high?
Well, FH_HOST_EQ_D_D_D_D is the main issue I'd say, since it has the higher FPs and a much more significant score: score FH_HOST_EQ_D_D_D_D 2.599 1.992 1.692 1.212 # n=2 score FH_HOST_EQ_D_D_D_DB 0.102 0.095 0.055 0.223 # n=2 STATISTICS-set3.txt: 7.010 10.9120 0.1316 0.988 0.64 0.22 FH_HOST_EQ_D_D_D_DB STATISTICS-set3.txt: 20.447 31.7873 0.4565 0.986 0.58 1.21 FH_HOST_EQ_D_D_D_D Since they overlap heavily with RDNS_DYNAMIC, perhaps we should consider reducing/zeroing one or both scores for 3.2.1. could you open a bug? --j. > Obviously I'm going to have to lower those scores to compensate - I bet > more spam will come through too :-( > > -- > Cheers > > Jason Haar > Information Security Manager, Trimble Navigation Ltd. > Phone: +64 3 9635 377 Fax: +64 3 9635 417 > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
