jmclusky Posted July 25, 2004 Share Posted July 25, 2004 Hi, I was rather surprised today to find an email from PayPal blocked by SA (score was 8). The specific tests triggered were: FROM_ENDS_IN_NUMS,LINES_OF_YELLING,MAILTO_TO_SPAM_ADDR,MONEY_BACK,NIGERIAN_BODY1,NO_REAL_NAME I've put a mildly munged (to protect my customer's identity!) version of the email up here (4kb). The FROM_ENDS_IN_NUMS and MAILTO_TO_SPAM_ADDR tests are unfortunate because the customer's email address was in the form name2000[at]example.com. Such mails will never have a display name as well as the email address. Is there anything that can be done to tune SA rules to avoid this happening again? Thanks, John. Link to comment Share on other sites More sharing options...
Wazoo Posted July 25, 2004 Share Posted July 25, 2004 Stepping into ground of things I don't use, but from what you've posted, I'd have to suggest that the SpamAssassin Forums might be the needed place to go. The "NIGERIAN_BODY1" strikes me as a bit of a reach, but then again, there've been so many Paypal phishes .... The rest of the 'rules' met seem to be based on the unfortunate ways that spammers work ... From what I can see, there's really no way to get around needing to whitelist the sender .... but again, poiinting out that I'm only going with the knowledge of your description and the evicence you provided .... Link to comment Share on other sites More sharing options...
jmclusky Posted July 25, 2004 Author Share Posted July 25, 2004 Stepping into ground of things I don't use, but from what you've posted, I'd have to suggest that the SpamAssassin Forums might be the needed place to go. The "NIGERIAN_BODY1" strikes me as a bit of a reach, but then again, there've been so many Paypal phishes .... The rest of the 'rules' met seem to be based on the unfortunate ways that spammers work ... From what I can see, there's really no way to get around needing to whitelist the sender .... but again, poiinting out that I'm only going with the knowledge of your description and the evicence you provided .... 13871[/snapback] Unfortunately, whitelisting won't really help here - I only get one such mail on behalf of each customer (further contact is direct, rather than via PayPal's payment systems). As I see, this was an unfortunate combination of the following: Customer's email address ending with numbers (useful when avoiding dictionary attacks, though!) The words 'Money Back Guarantee' in the mail. Perfectly legitimate in context, though! PayPal's (quite justified) 'PROTECT YOUR PASSWORD' line Not quite sure how the mail could have looked like a Nigerian Scam, but I don't know quite how the rule is defined. I always take great care with my held mail - anything that looks remotely non-spammy I'll preview to make sure. But I'm still surprised that this mail would get a SA score of 8. I'll perhaps swing by the SA forums and see what they think. Perhaps SA could do with a 'GENUINE_PAYPAL' test with a negative score ;-) Link to comment Share on other sites More sharing options...
Wazoo Posted July 26, 2004 Share Posted July 26, 2004 Yeah, that's what I'm thinking also .. SA has 'never' seen a 'good' e-mail connected to/with PayPal ... all the focus on training usually goes towards catching the bad, not really on how to 'always' recognise the 'good' ... and at the ISP level, that'd have to be a bear ... even coming up with enough 'good' Paypal e-mail to try to train ... Link to comment Share on other sites More sharing options...
PeterJ Posted July 26, 2004 Share Posted July 26, 2004 My guess at what many of the SA people would say is that they would rely on bayesian scoring to apply a negative number to the email so it gets a resulting score below 5. PeterJ Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.