On Thu, 8 Sep 2016, John Hardin wrote:
>Yes. Given that ID on the first line the corpus owner can find the message
>in question, review it, potentially fix misclassifications (that has
>happened before), etc.
Shiny - that sounds perfect! :)
>There's one more exclusion I can add that will take out the last
>of the FPs in masscheck.
Thanks John!
Sadly, I have more FP data for you. :(
This week, two semi-well-known companies decided to join the
Embedded Data Hall of Shame:
"Overstock.com" (overstock.com)
831,744 bytes
X-Spam-Status: No, score=-3.2 required=5.1 tests=DKIM_SIGNED, DKIM_VALID,
DKIM_VALID_AU, HTML_IMAGE_RATIO_02, HTML_MESSAGE, MIME_HTML_ONLY,
RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_SAFE
"Dave & Buster's" (daveandbusters.com)
806,962 bytes
X-Spam-Status: No, score=1.8 required=5.1 tests=DKIM_SIGNED, DKIM_VALID,
DKIM_VALID_AU, HTML_IMAGE_RATIO_02, HTML_MESSAGE, MIME_HTML_ONLY,
RCVD_IN_DNSWL_NONE
Sadly, both hit on my test for:
href='data:
So the score for that should definitely be capped.
Fortunately, all these are otherwise scoring quite low.
Here's one specific example (just a single very long line from
one corpse):
background-image: url("data:image/svg+xml;charset=utf8,%3Csvg width='104px'
height='82px' viewBox='0 0 104 82' version='1.1'
xmlns='http://www.w3.org/2000/svg'
xmlns:xlink='http://www.w3.org/1999/xlink'%3E%3C!-- Generator: Sketch 3.6.1
(26313) - http://www.bohemiancoding.com/sketch
--%3E%3Ctitle%3Ediamond%3C/title%3E%3Cdesc%3ECreated with
Sketch.%3C/desc%3E%3Cdefs%3E%3C/defs%3E%3Cg id='Current' stroke='none'
stroke-width='1' fill='none' fill-rule='evenodd'%3E%3Cg
id='Settings-Not-Supported-Grammarly-2' transform='translate(-241.000000,
-183.000000)'%3E%3Cg id='4-copy-4' transform='translate(45.000000,
41.000000)'%3E%3Cg id='The-Settings' transform='translate(75.000000,
63.000000)'%3E%3Cg id='Not-Suported' transform='translate(1.000000,
56.000000)'%3E%3Cg id='Google-Docs' transform='translate(34.000000,
0.000000)'%3E%3Cg id='diamond' transform='translate(75.000000,
0.000000)'%3E%3Cimage id='Image-1' x='0' y='0.0800019' width='127.919997'
height='127.919997' xlink:href='data:image/pn
g;base64,iVBORw0KGgoAAAANS
Which was in a huge (700+ Kb) set of Style blocks. :(
I'll send you both corpses, tonight, if you're interested.
I took a closer look at the "ClubNorton" monstrosity and it also
hit that test, and has many other similarities, so this appears
to be a new email "authoring" app. :(
For completeness, "ClubNorton" was:
812,383 bytes
X-Spam-Status: No, score=1.0 required=5.1 tests=DKIM_SIGNED, DKIM_VALID,
DKIM_VALID_AU, HTML_MESSAGE, MIME_HTML_ONLY, RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL
That puts the inventors of the Hamster Cannon in the lead, in
terms of size and pandering to safe-listing "services". :(
I asked the recipient/survivor of the new duo to forward them to
his own account and tell me how they render in Outlook, and he
kindly sent me a screenshot, mostly to show an alert that Outlook
added:
"If there are problems with how this message is displayed, click here to view
it in a web browser."
Purely IM(subjective)O, that sounds like even Outlook was a bit
disgruntled with it.
- "Chip"
