Jump to content
Sign in to follow this  
jmclusky

Legit PayPal mail caught by SA rules

Recommended Posts

Hi,

I was rather surprised today to find an email from PayPal blocked by SA (score was 8).

The specific tests triggered were:

FROM_ENDS_IN_NUMS,LINES_OF_YELLING,MAILTO_TO_SPAM_ADDR,MONEY_BACK,NIGERIAN_BODY1,NO_REAL_NAME

I've put a mildly munged (to protect my customer's identity!) version of the email up here (4kb).

The FROM_ENDS_IN_NUMS and MAILTO_TO_SPAM_ADDR tests are unfortunate because the customer's email address was in the form name2000[at]example.com. Such mails will never have a display name as well as the email address.

Is there anything that can be done to tune SA rules to avoid this happening again?

Thanks,

John.

Share this post


Link to post
Share on other sites

Stepping into ground of things I don't use, but from what you've posted, I'd have to suggest that the SpamAssassin Forums might be the needed place to go. The "NIGERIAN_BODY1" strikes me as a bit of a reach, but then again, there've been so many Paypal phishes .... The rest of the 'rules' met seem to be based on the unfortunate ways that spammers work ... From what I can see, there's really no way to get around needing to whitelist the sender .... but again, poiinting out that I'm only going with the knowledge of your description and the evicence you provided ....

Share this post


Link to post
Share on other sites
Stepping into ground of things I don't use, but from what you've posted, I'd have to suggest that the SpamAssassin Forums might be the needed place to go.  The "NIGERIAN_BODY1" strikes me as a bit of a reach, but then again, there've been so many Paypal phishes ....  The rest of the 'rules' met seem to be based on the unfortunate ways that spammers work ... From what I can see, there's really no way to get around needing to whitelist the sender .... but again, poiinting out that I'm only going with the knowledge of your description and the evicence you provided ....

13871[/snapback]

Unfortunately, whitelisting won't really help here - I only get one such mail on behalf of each customer (further contact is direct, rather than via PayPal's payment systems).

As I see, this was an unfortunate combination of the following:

  • Customer's email address ending with numbers (useful when avoiding dictionary attacks, though!)
  • The words 'Money Back Guarantee' in the mail. Perfectly legitimate in context, though!
  • PayPal's (quite justified) 'PROTECT YOUR PASSWORD' line

Not quite sure how the mail could have looked like a Nigerian Scam, but I don't know quite how the rule is defined.

I always take great care with my held mail - anything that looks remotely non-spammy I'll preview to make sure. But I'm still surprised that this mail would get a SA score of 8. I'll perhaps swing by the SA forums and see what they think. Perhaps SA could do with a 'GENUINE_PAYPAL' test with a negative score ;-)

Share this post


Link to post
Share on other sites

Yeah, that's what I'm thinking also .. SA has 'never' seen a 'good' e-mail connected to/with PayPal ... all the focus on training usually goes towards catching the bad, not really on how to 'always' recognise the 'good' ... and at the ISP level, that'd have to be a bear ... even coming up with enough 'good' Paypal e-mail to try to train ...

Share this post


Link to post
Share on other sites

My guess at what many of the SA people would say is that they would rely on bayesian scoring to apply a negative number to the email so it gets a resulting score below 5.

PeterJ

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×