Re: BODY_URI_ONLY is broken

Fri, 25 Mar 2016 20:49:54 -0700 


Am 26.03.2016 um 04:43 schrieb David B Funk:

On Sat, 26 Mar 2016, Reindl Harald wrote:


Am 26.03.2016 um 04:21 schrieb Reindl Harald:

Am 26.03.2016 um 03:54 schrieb David B Funk:

On Sat, 26 Mar 2016, Reindl Harald wrote:


BODY_URI_ONLY Message body is only a URI in one line of text

how can that hit the (anonymized) mail below?
___________________________

Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<h2>****** =C3=9Cbermittlung: **** in ***=
***</h2><table><tr><td>From:</td><td>*** **<somebody@example=
.com></td></tr><tr><td>=C3=9Cberpr=C3=BCfen Sie bitte den Artikel
unter f=
olgender URL:</td><td><a href=3D"http://example.com/administra=
tor/index.php?option=3Dcom_k2&view=3Ditem&cid=3D1832">Artikel
=C3=BCberpr=
=C3=BCfen</a></td></tr><table class=3D"admintable"
id=3D"extraFields"><tr=

<td align=3D"left" class=3D"key">****</td><td></td></tr><tr><td a=

lign=3D"left" class=3D"key">****</td><td>Array  </td></tr><tr><td ali=
gn=3D"left" class=3D"key">***</td><td></td></tr></table>


Because that is one long line that has been broken up for shipment
using
QP encoding (those '=' at the end of each part). Before doing body
checks SA decodes all MIME text components (EG Base64, QP, etc).

So as far as the SA body rules are concerned that -is- only one line


* it is *not* an URI only
* with that logic *any* message with a link would hit that rule
* the message has a headline and a table

hit that rule is plain wrong


stats of the whole month:

110 hits total
108 clear ham hits (BAYES_00)
1 false positive - the mail above - and flagged because of that
1 spam hit with 17 points, so it did not matter

1.0 points is way too much for a rule which hits prcatically only ham


At our site that rule has a S/O ratio of 0.9714 (in one month spam=1564,
ham=46)
which easily warrents a 1.0 point score. It doesn't hit a lot of messages
(rank score of 245 for spam, 509 for ham) but mostly hits spam



the only idea for that difference is that you pass way more easily on 
MTA level cacthable spam to SA - the stats for the past 5 months are 
very similar to the numbers above



anyways, hit that rule on a message witha HTML-headline *and* a HTML 
table is plain wrong without any but or if






Attachment:
signature.asc

Description: OpenPGP digital signature






















					Reply via email to