guys, feel free to mail me samples (offlist) of sought FPs -- ideally, as mboxes. it's easy enough to add them to the training process.
--j. On Mon, Nov 8, 2010 at 22:54, mouss <mo...@ml.netoyen.net> wrote: > Le 20/08/2010 17:12, Jan P. Kessler a écrit : >> >> Hi, >> >> we use spamassassin with the sought ruleset since several years at our >> company. After the upgrade to from 3.2.5 to 3.3.1 we notice tons of >> false-positives hitting on the rules JM_SOUGHT_1 and JM_SOUGHT_2. >> Unfortunaley I can not give examples as these messages contain >> confidental customer data (assurance company). We had more than 100 >> false-positives with these rules in the last 2 days. >> >> I have drastically lowered the score from 4.0 to 1.0 for both rules and >> wanted to ask if anybody else noticed that? >> >> Cheers, Jan >> > > below is an FP which is a "public" mail. I'm going to zero the corresponding > rules (I prefer false negatives, which help improving local rule, over false > positives, exceptionally when I "can't explain why"). > > ============= FP sample > Return-Path: <websecurity-return-7218-mouss=ml.netoyen....@webappsec.org> > Delivered-To: mouss+s...@ml.netoyen.net > Received: from imlil.netoyen.net (localhost [127.0.0.1]) > by imlil.netoyen.net (Postfix) with ESMTP id A2E97E54898 > for <mouss+s...@ml.netoyen.net>; Mon, 8 Nov 2010 18:42:45 +0100 > (CET) > X-Relay-Countries: US > X-Virus-Scanned: amavisd-new at netoyen.net > X-Spam-Flag: YES > X-Spam-Score: 5.284 > X-Spam-Level: ***** > X-Spam-Status: Yes, score=5.284 required=5 tests=[COUNTRY_US=0.01, > JM_SOUGHT_3=4, RDNS_NONE=1.274] autolearn=no > Received: from cgisecurity.net (unknown [199.125.85.46]) > by mx.netoyen.net (Postfix) with SMTP id A8EA4E54829 > for <mo...@ml.netoyen.net>; Mon, 8 Nov 2010 18:42:43 +0100 (CET) > Received: (qmail 18910 invoked by uid 1017); 8 Nov 2010 18:36:41 -0000 > Mailing-List: contact websecurity-h...@webappsec.org; run by ezmlm > Precedence: bulk > List-Post: <mailto:websecur...@webappsec.org> > List-Help: <mailto:websecurity-h...@webappsec.org> > List-Unsubscribe: <mailto:websecurity-unsubscr...@webappsec.org> > List-Subscribe: <mailto:websecurity-subscr...@webappsec.org> > Delivered-To: mailing list websecur...@webappsec.org > Delivered-To: moderator for websecur...@webappsec.org > Received: (qmail 37779 invoked from network); 7 Nov 2010 18:51:51 -0000 > MIME-Version: 1.0 > In-Reply-To: <005301cb7ad5$b2875f30$c103f...@ml> > References: <002301cb7944$a7619b80$c103f...@ml> > <aanlktimabfxcsrqdul=qvawxoqursqnt7nzefj2p7...@mail.gmail.com> > <005301cb7ad5$b2875f30$c103f...@ml> > From: YGN Ethical Hacker Group <li...@yehg.net> > Date: Mon, 8 Nov 2010 01:57:16 +0800 > Message-ID: <aanlktimtbamufvwexpwqbcdl4bb55ai31hxwpcd6r...@mail.gmail.com> > To: MustLive <mustl...@websecurity.com.ua> > Cc: websecur...@webappsec.org > Content-Type: text/plain; charset=UTF-8 > Subject: Re: [WEB SECURITY] [New Tool Announcement] inspath - Path > Disclosure Finder > > Hi MustLive > > Thanks for your suggestion. > > Searching for Google Cache might be a good feature to add in inpathx > but I'm afraid this realm should/can be done with other tools like > SiteDigger (http://www.foundstone.com/us/resources/proddesc/sitedigger.htm). > > > > --------------------------------- > Best regards, > YGN Ethical Hacker Group > Yangon, Myanmar > http://yehg.net > Our Lab | http://yehg.net/lab > Our Directory | http://yehg.net/hwd > > ---------------------------------------------------------------------------- > Join us on IRC: irc.freenode.net #webappsec > > Have a question? Search The Web Security Mailing List Archives: > http://www.webappsec.org/lists/websecurity/archive/ > > Subscribe via RSS: > http://www.webappsec.org/rss/websecurity.rss [RSS Feed] > > To unsubscribe email websecurity-unsubscr...@webappsec.org and reply to > the confirmation email > > Join WASC on LinkedIn > http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > >
