Re: Sought False Positives

Sat, 21 Aug 2010 13:52:45 -0700 

On 20/08/10 19:44, John Hardin wrote:

On Fri, 20 Aug 2010, Karsten Br�ckelmann wrote:


On Fri, 2010-08-20 at 17:47 +0200, Karsten Bräckelmann wrote:

On Fri, 2010-08-20 at 17:12 +0200, Jan P. Kessler wrote:

false-positives hitting on the rules JM_SOUGHT_1 and JM_SOUGHT_2.
Unfortunaley I can not give examples as these messages contain
confidental customer data (assurance company). We had more than 100
false-positives with these rules in the last 2 days.


I hope you can tell us the __SEEK_* sub-rules triggered, though. That
would help already. To extract these, either (a) pipe such a message
to spamassassin -D, and get the sub-rule from the debug output, or
(b) add a specific header only showing the sub-rules.


A word of caution: Do note that the seek sub-rules' names are
generated using a hash function, and thus identify the actual string
matched!

You might want to check the string in 20_sought.cf, before disclosing
the seek ID. I'd be surprised if it contains sensitive data, tough --
after all, it is found massively in spam.


...as well as in SA SVN. The matches can't be confidential as they're
generated from public sources. The non-matching bits are what is
confidential.

I agree with Karsten, it's most likely disclaimer text that doesn't have
a ham exclusion in the SOUGHT rule generator.
I'm still seeing FP hits against these rules despite a few sought rule updates. 

It seems there's a few rules hitting on Facebook:
# grep Facebook /var/lib/spamassassin/3.003001/sought_rules_yerp_org/20_sought.cf 
body __SEEK_YDK7NN  / to unsubscribe\. Facebook, Inc/
body __SEEK_GYJ_MA / If you do not wish to receive this type of email from Facebook in the future, please follow the link below to unsubscribe\. http:\/\/www\.facebook\.com\/ Facebook, Inc\. P\.O\. Box 10005, Palo Alto, CA 94303 / 
body __SEEK_Z4K_72  / sent you a message on Facebook/
body __SEEK_A5_EMW  /Find people from your Gmail address book on Facebook\!/
body __SEEK_TKDQL_  /Sign in to Facebook and start connecting/
body __SEEK_X4HOA8 /Didn\'t sign up for Facebook\? Please let us know\. If you do not wish to receive this type of email from Facebook in the future, please click here to unsubscribe\.Facebook, Inc\. P\.O\. Box 10005, Palo Alto, CA 94303/

Reply via email to