Philip Prindeville wrote:
> Karsten Bräckelmann wrote:
>> Please, do not paste a gigantic blob of multipart MIME messages. Put it
>> up somewhere, raw, and simply provide a link.
>>
>>
>> On Sat, 2008-02-16 at 18:44 -0800, Philip Prindeville wrote:
>>
>>> Anyway, I have no idea why I'm seeing some of these scores. URL
>>> matches when there aren't even URL's in my message?
>>>

>>
>> There are. Self-inflicted. The ones in square brackets with the leading
>> 550 code, which you seem to keep sending back and forth.
>>

>
> And just *mentioning* the domain name, without any sort of valid URL
> (ftp: or http: or anything of the sort) is going to match it as a
> URL? That's highly bogus.
>
> A domain name alone does not a URL make.

You tell that to most windows-based clients, which will automatically
make clickalble URLs out of things like www.google.com in text sections.


>
>> Oh, and DNS_FROM_OPENWHOIS probably is http://open-whois.org/, which
>> gives you a hint about what it actually is. The hit itself pretty much
>> mentions this...
>>

>
> Yeah, I read this. And I don't get that either.
>
> How does having your domain be anonymous (for whatever reason... maybe
> you're a small company operating below the radar) make your email any
> more likely to be spam????

Decidedly so. The people with the strongest reason to hide their contact
information are the spammers, and other shady businesses.

That's not to say they're aren't some legitimate folks that use this
kind of anonymization. However, the "domains by proxy" model is a
questionable practice, as it violates the spirit of the whois
requirements. Also, many of them violate the letter of the requirements,
such as the phone issue noted on the open-whois main page. (ie: anyone
registered using securewhois is not correctly reigstered, per ICANN
requirements for whois)


>
>>> TVD_STOCK1? There's no mention of stock anywhere in the message.
>>>

>>

Not sure, you migth want to try running it with debugging on.
The debug message from the code would be:

dbg("eval: stock info hit: $1");

That should tell you what exact substring matched the stock info code.

>> From a quick glimpse of the code, it appears to identify common words
>> used in stock (as in stock exchange, pump-n-dump penny stocks) spam. It
>> does not search for the word "stock". Just as pretty much no rule in SA
>> ever searches for single words only...
>>

>
> Again, I didn't see anything that should legitimately be causing this
> rule to fire, and certainly not with such a high score for such an
> unreliable rule.


>
>
>>> Why am I seeing all of these bogus matches?
>>>

>>
>> From what I can tell, and what you sent us, they don't appear to be
>> bogus.
>>

>
> Depends on whether you equate bare domains with URL's, I suppose.

If MUA's equate them with URLs, spammers will use this, and SpamAssassin
will use it.

>
>>> I looked on the wiki for some of these, but couldn't find descriptions.
>>>
>>> What should I do? Just block their domain? I don't want to deal with
>>> their misconfiguration issues.
>>>

>>
>> Apparently you already exchanged messages? Try not sending the offensive
>> mail in question. Put it up somewhere as reference, if need be. Hmm,
>> sounds familiar...
>>
>> guenther
>>
>>
>>

>
> No, I sent them back the offending email, initially. Which they
> marked as spam (bloody brilliant, of course it's spam, otherwise I
> wouldn't be bothering to report it.... what else do they expect to
> come to their "Abuse" mailbox, anyway???).
>
> So I sent back the SA scores back to them, and that's the part that I
> pasted previously.
>
> How do you report Spam to such a site that's going to block your Spam
> reports for being... well, Spam!

Well, it's stupid, and probably a RFC violation to perform such
filtering on your abuse box. So, I'm not saying the domain in question
isn't behaving foolishly. You might want to point this out to them, and
suggest they whitelist their abuse address. At the very least, ask them
if they have an alternate reporting address that isn't filtered.