Bug 274 - rule FRIEND_AT_PUBLIC too broad
Summary: rule FRIEND_AT_PUBLIC too broad
Status: RESOLVED FIXED
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: 2.20
Hardware: All Linux
: P2 normal
Target Milestone: 2.60
Assignee: Daniel Quinlan
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-05-03 06:21 UTC by Simon Weatherill
Modified: 2003-06-03 06:04 UTC (History)
2 users (show)


Attachment Type Modified Status Actions Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Weatherill 2002-05-03 06:21:18 UTC 
In 20_head_tests.cf, the rule

header FRIEND_AT_PUBLIC To =~ /(yourdomain|you|your|public).(com|org|net)/i

catches more than it should (it caught x@HSBCRepublic.COM). The match should be 
more like:

/[\.@](yourdomain|you|your|public)\.(com|org|net)/i
Comment 1 Craig Hughes 2002-06-10 01:22:44 UTC 
I'm going to leave it as is -- it's not scoring super high...
Comment 2 Aaron Hopkins 2003-05-30 01:54:15 UTC 
In spamassassin 2.50 - 2.55, all mail to the owner of the domain
"hamsterrepublic.com" (one of my users) gets 2.9 points added due to the
FRIEND_AT_PUBLIC test, which is enough to push a lot of legit mail over the
threshhold.

Obviously not a big deal for mail to just him, as disabling the test is easy. 
The problem is that it catches all mail for other users on other systems where
he's listed as one of the "To:"s.

As of July 2002 (the last data I have access to), the
"(?:yourdomain|you|your|public)\.(?:com|org|net)/i" regexp matches 37025 active
com/net/org domains.  Is this intentional?
Comment 3 Daniel Quinlan 2003-05-30 02:22:48 UTC 
For future reference: it's better to open new bugs than comment on ancient
bugs that have been closed.
Comment 4 Daniel Quinlan 2003-05-30 02:23:27 UTC 
reassigning and testing a fix in CVS now
Comment 5 Daniel Quinlan 2003-05-30 02:26:49 UTC 
Subject: Re: [SAdev]  rule FRIEND_AT_PUBLIC too broad

> As of July 2002 (the last data I have access to), the
> "(?:yourdomain|you|your|public)\.(?:com|org|net)/i" regexp matches
> 37025 active com/net/org domains.  Is this intentional?

Well, yes.  How many of those 37025 are just parked or are currently
registered by squatters?  How many are used for email?

Anyway, try:

/(?:yourdomain|you|your|(?<!re)public)\.(?:com|org|net)/i
Comment 6 Daniel Quinlan 2003-06-03 14:04:38 UTC 
fixed in 2.60-cvs