I just upgraded my production spam filter to 3.3.2, and came across an interesting false negative.
The mail is an unremarkable 419 scam, that originated from a web-café in Nigeria or Mauritius, using an Italian ISP as the relay. I¹ve seen a lot of these in the past, and have a rule to catch them, using RelayCountry.pm I¹ve defined individual rules for many of the countries, such as: header RELAY_NG X-Relay-Countries=~/\bNG\b/ describe RELAY_NG Relayed through Nigeria score RELAY_NG 2.0 And then I have a couple of meta rules that identify spammy behavior: meta __RELAY_AF (RELAY_GH || RELAY_NG || RELAY_BJ || RELAY_BF || RELAY_MZ || RELAY_ZA || RELAY_CI || RELAY_SN || RELAY_MU) meta RELAY_EU_AF (RELAY_IT || RELAY_DE) && (__RELAY_AF) describe RELAY_EU_AF relayed through Europe from a country in Africa score RELAY_EU_AF 1.5 meta AE_AF_FRAUD LOTS_OF_MONEY && (__RELAY_AF) describe AE_AF_FRAUD Talks about lots of money from countries with lots of scams score AE_AF_FRAUD 2.0 However, the webmail client is ignored in 3.3.2: Jun 24 14:37:29.686 [23089] dbg: received-header: ignored SquirrelMail injection: 41.206.11.5 (SquirrelMail authenticated user irivetti) by webmail.unisalento.it with HTTP Leaving only Italy in the X-Relay-Countries header: Jun 24 14:37:29.689 [23089] dbg: metadata: X-Relay-Countries: IT ** ** IT If RelayCountry.pm is relying on Received.pm, I don¹t think we want to ignore the ultimate web-mail source, as that tends to be a pretty good indication of spamminess.... Comparing with version 3.3.0 (which I happen to have around) I see all of the countries parsed. I haven¹t upgraded the database for IP::Country::Fast on this box in a while.... Jun 24 15:08:18.568 [17813] dbg: metadata: X-Relay-Countries: ** ** ** IT ** ** IT Full message with headers available at http://pastebin.com/fEvZ1PUX This message probably should have hit some freemail.pm rules as well. I¹ll probably need to add live.co.uk in locally.... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281
