MISSING_SUBJECT

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

MISSING_SUBJECT

Micah Anderson-2


I had a message marked with:

2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
Subject:

It did not have a subject, but it did have content (although only
encrypted).... it also hit:

*  1.8 MISSING_SUBJECT Missing Subject: header

which makes sense, because the mail did not have one, but have you
looked in your Spam folder lately? All spam has a subject, pretty much
always.... an informal survey of my trash heap showed 4 messages out of
400 did not have a Subject, and two of them were repeats.

--
        micah
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

Micah Anderson-2
Reindl Harald <[hidden email]> writes:

> Am 13.06.2018 um 01:37 schrieb micah anderson:
>> I had a message marked with:
>>
>> 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>> Subject:
>>
>> It did not have a subject, but it did have content (although only
>> encrypted).... it also hit:
>>
>> *  1.8 MISSING_SUBJECT Missing Subject: header
>>
>> which makes sense, because the mail did not have one, but have you
>> looked in your Spam folder lately? All spam has a subject, pretty much
>> always....
>
> no - there is ton of junk without a subject and sometimes even floods
> with no subject and no body at all

I believe you, however the message was not empty, it had encrypted
contents (and in fact was scored -1 because of that).
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

Matus UHLAR - fantomas
In reply to this post by Micah Anderson-2
On 12.06.18 19:37, micah anderson wrote:

>2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>Subject:
>
>It did not have a subject, but it did have content (although only
>encrypted).... it also hit:
>
>*  1.8 MISSING_SUBJECT Missing Subject: header
>
>which makes sense, because the mail did not have one, but have you
>looked in your Spam folder lately? All spam has a subject, pretty much
>always.... an informal survey of my trash heap showed 4 messages out of
>400 did not have a Subject, and two of them were repeats.

and what is your point?

MISSING_SUBJECT is here because when message has no Subject:, it is highly
probably spam.

it's useless to count how many of spams hit the rule. there are many rules
who hit only small percentage of spam, but all of them hit most of spam.

what is important is:

- how much of mails hitting MISSING_SUBJECT is spam
- how much of mails hitting MISSING_SUBJECT is ham.

if the percentage is very different in there two cases, the rule gets high
positive (or negative) score.

Some scores are tuned for safety reasons.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

Micah Anderson-2
Matus UHLAR - fantomas <[hidden email]> writes:

> On 12.06.18 19:37, micah anderson wrote:
>>2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>>Subject:
>>
>>It did not have a subject, but it did have content (although only
>>encrypted).... it also hit:
>>
>>*  1.8 MISSING_SUBJECT Missing Subject: header
>>
>>which makes sense, because the mail did not have one, but have you
>>looked in your Spam folder lately? All spam has a subject, pretty much
>>always.... an informal survey of my trash heap showed 4 messages out of
>>400 did not have a Subject, and two of them were repeats.
>
> and what is your point?

The point is EMPTY_MESSAGE scores even though it did have content. But I
guess the point is that it had no 'text' parts, because the content was
only pgp/mime?

--
        micah
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

Rupert Gallagher
In reply to this post by Matus UHLAR - fantomas

On Wed, Jun 13, 2018 at 10:38, Matus UHLAR - fantomas <[hidden email]> wrote:

> MISSING_SUBJECT is here because when message has no Subject:, it is highly probably spam.

Right. Well, my new accountant, being an external company of 16 people, insists in sending messages without a subject, "because we always did, and you are the only one complaining". These are the same people who cannot bother reading the bounched message that says "your e-mail was rejected because it does not contain a subject" and, when interrogated, they respond that "the e-mail was rejected". This reminds me of a common practice in both UK and CH where people anticipate by phone call that an e-mail is coming and then they call again to make sure it arrived, with some wanting a subject line that says "From <me> to <you>: <object>". The take-away is: if you manage a company, make sure your employees know their ABCs, and if you are a company, insist on best practices with both your clients and providers. To close, I think we need standard leaflets to pass around stubborn employees. 
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

Matus UHLAR - fantomas
In reply to this post by Micah Anderson-2
>> On 12.06.18 19:37, micah anderson wrote:
>>>2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>>>Subject:
>>>
>>>It did not have a subject, but it did have content (although only
>>>encrypted).... it also hit:
>>>
>>>*  1.8 MISSING_SUBJECT Missing Subject: header
>>>
>>>which makes sense, because the mail did not have one, but have you
>>>looked in your Spam folder lately? All spam has a subject, pretty much
>>>always.... an informal survey of my trash heap showed 4 messages out of
>>>400 did not have a Subject, and two of them were repeats.

>Matus UHLAR - fantomas <[hidden email]> writes:
>> and what is your point?

On 13.06.18 07:55, micah anderson wrote:
>The point is EMPTY_MESSAGE scores even though it did have content.

so, why did you complain about subjects?

> But I guess the point is that it had no 'text' parts, because the content
>was only pgp/mime?

Most probably yes. spamassassin -D would show us.

The MISSING_SUBJECT and EMPTY_MESSAGE are kind of redundant, since they both
catch empty mail.

meta MISSING_SUBJECT           !__HAS_SUBJECT
header __HAS_SUBJECT            exists:Subject

meta EMPTY_MESSAGE      !__MIME_ATTACHMENT && !__NONEMPTY_BODY
body __NONEMPTY_BODY    /\S/

note that body rules check subject too.

I can guess that the mail did NOT include an attachment since it was purely
PGP-encrypted mail.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

John Hardin
In reply to this post by Micah Anderson-2
On Tue, 12 Jun 2018, micah anderson wrote:

> I had a message marked with:
>
> 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
> Subject:
>
> It did not have a subject, but it did have content (although only
> encrypted)....

It may not be considering an encrypted message part to be a text body
part. What was the MIME type of that part?


--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   As a Turkish general once remarked, the trouble with having the
   Americans as friends is that you can never be sure when they will
   turn around and stab themselves in the back.       -- Bernard Lewis
-----------------------------------------------------------------------
  5 days until SWMBO's Birthday
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

John Hardin
In reply to this post by Matus UHLAR - fantomas
On Wed, 13 Jun 2018, Matus UHLAR - fantomas wrote:

> On 12.06.18 19:37, micah anderson wrote:
>> 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>> Subject:
>>
>> It did not have a subject, but it did have content (although only
>> encrypted).... it also hit:
>>
>> *  1.8 MISSING_SUBJECT Missing Subject: header
>>
>> which makes sense, because the mail did not have one, but have you
>> looked in your Spam folder lately? All spam has a subject, pretty much
>> always.... an informal survey of my trash heap showed 4 messages out of
>> 400 did not have a Subject, and two of them were repeats.
>
> and what is your point?
>
> MISSING_SUBJECT is here because when message has no Subject:, it is highly
> probably spam.
>
> it's useless to count how many of spams hit the rule. there are many rules
> who hit only small percentage of spam, but all of them hit most of spam.
>
> what is important is:
>
> - how much of mails hitting MISSING_SUBJECT is spam
> - how much of mails hitting MISSING_SUBJECT is ham.
>
> if the percentage is very different in there two cases, the rule gets high
> positive (or negative) score.

S/O = .826

http://ruleqa.spamassassin.org/20180613-r1833448-n/MISSING_SUBJECT/detail

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   As a Turkish general once remarked, the trouble with having the
   Americans as friends is that you can never be sure when they will
   turn around and stab themselves in the back.       -- Bernard Lewis
-----------------------------------------------------------------------
  5 days until SWMBO's Birthday
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

Micah Anderson-2
In reply to this post by John Hardin
John Hardin <[hidden email]> writes:

> On Tue, 12 Jun 2018, micah anderson wrote:
>
>> I had a message marked with:
>>
>> 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>> Subject:
>>
>> It did not have a subject, but it did have content (although only
>> encrypted)....
>
> It may not be considering an encrypted message part to be a text body
> part. What was the MIME type of that part?

pgp/mime

--
        micah
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

Matus UHLAR - fantomas
>> On Tue, 12 Jun 2018, micah anderson wrote:
>>
>>> I had a message marked with:
>>>
>>> 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>>> Subject:
>>>
>>> It did not have a subject, but it did have content (although only
>>> encrypted)....

>John Hardin <[hidden email]> writes:
>> It may not be considering an encrypted message part to be a text body
>> part. What was the MIME type of that part?

On 14.06.18 12:17, micah anderson wrote:
>pgp/mime

and wat is an attachment or just the e-mail came with mime type pgp/mime;2~?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

Matus UHLAR - fantomas
On 15.06.18 09:04, Matus UHLAR - fantomas wrote:

>>>On Tue, 12 Jun 2018, micah anderson wrote:
>>>
>>>>I had a message marked with:
>>>>
>>>>2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>>>>Subject:
>>>>
>>>>It did not have a subject, but it did have content (although only
>>>>encrypted)....
>
>>John Hardin <[hidden email]> writes:
>>>It may not be considering an encrypted message part to be a text body
>>>part. What was the MIME type of that part?
>
>On 14.06.18 12:17, micah anderson wrote:
>>pgp/mime

>and wat is an attachment or just the e-mail came with mime type pgp/mime;2~?

OK, again:
was it an attachment or just the e-mail came with mime-type PGP/mime ?

please show us headers of that message (pastebin for example)
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

RW-15
In reply to this post by John Hardin
On Wed, 13 Jun 2018 16:36:02 -0700 (PDT)
John Hardin wrote:

> On Tue, 12 Jun 2018, micah anderson wrote:
>
> > I had a message marked with:
> >
> > 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
> > Subject:
> >
> > It did not have a subject, but it did have content (although only
> > encrypted)....  
>
> It may not be considering an encrypted message part to be a text body
> part. What was the MIME type of that part?

The rule is:

  meta EMPTY_MESSAGE   !__MIME_ATTACHMENT && !__NONEMPTY_BODY

where

  body __NONEMPTY_BODY /\S/

i.e. it's looking for an attachment or body text.

It needs to be something like:

 !__MIME_ATTACHMENT && !__NONEMPTY_BODY && !ENCRYPTED_MESSAGE

ENCRYPTED_MESSAGE already exists.
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

Matus UHLAR - fantomas
>> On Tue, 12 Jun 2018, micah anderson wrote:
>>
>> > I had a message marked with:
>> >
>> > 2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
>> > Subject:
>> >
>> > It did not have a subject, but it did have content (although only
>> > encrypted)....

>On Wed, 13 Jun 2018 16:36:02 -0700 (PDT) John Hardin wrote:
>> It may not be considering an encrypted message part to be a text body
>> part. What was the MIME type of that part?

On 16.06.18 21:12, RW wrote:

>The rule is:
>
>  meta EMPTY_MESSAGE   !__MIME_ATTACHMENT && !__NONEMPTY_BODY
>
>where
>
>  body __NONEMPTY_BODY /\S/
>
>i.e. it's looking for an attachment or body text.
>
>It needs to be something like:
>
> !__MIME_ATTACHMENT && !__NONEMPTY_BODY && !ENCRYPTED_MESSAGE
>
>ENCRYPTED_MESSAGE already exists.

meta   ENCRYPTED_MESSAGE __CT_ENCRYPTED
header __CT_ENCRYPTED    Content-Type =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/

__CT_ENCRYPTED is for now better solution, mostly because of someone could
disable ENCRYPTED_MESSAGE in case of FPs.

score ENCRYPTED_MESSAGE                     -1.000 -1.000 -1.000 -1.000

Note that this doesn't remove the redundancy of EMPTY_MESSAGE and
MISSING_SUBJECT which is the real problem here.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

RW-15
On Sun, 17 Jun 2018 14:19:25 +0200
Matus UHLAR - fantomas wrote:

 
> meta   ENCRYPTED_MESSAGE __CT_ENCRYPTED
> header __CT_ENCRYPTED    Content-Type
> =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
>
> __CT_ENCRYPTED is for now better solution, mostly because of someone
> could disable ENCRYPTED_MESSAGE in case of FPs.

If it were

meta   ENCRYPTED_MESSAGE __ENCRYPTED_MESSAGE

I'd agree, but the the current definition has clearly been set up to
allow additional tests to be added to  ENCRYPTED_MESSAGE. IMO it's much
more important that such changes get picked by any meta rules, than it
is to reduce the risk of ENCRYPTED_MESSAGE being carelessly given a
zero score. No one should ever zero a score without checking for meta
rules anyway.


> score ENCRYPTED_MESSAGE                     -1.000 -1.000 -1.000
> -1.000
>
> Note that this doesn't remove the redundancy of EMPTY_MESSAGE and
> MISSING_SUBJECT which is the real problem here.

 
If there is a problem there it's that EMPTY_MESSAGE without
MISSING_SUBJECT doesn't score highly enough.
Reply | Threaded
Open this post in threaded view
|

Re: MISSING_SUBJECT

John Hardin
On Sun, 17 Jun 2018, RW wrote:

> On Sun, 17 Jun 2018 14:19:25 +0200
> Matus UHLAR - fantomas wrote:
>
>
>> meta   ENCRYPTED_MESSAGE __CT_ENCRYPTED
>> header __CT_ENCRYPTED    Content-Type
>> =~ /^multipart\/(?:x-)?(?:pgp-)?encrypted|application\/(?:x-)?pkcs7-mime/
>>
>> __CT_ENCRYPTED is for now better solution, mostly because of someone
>> could disable ENCRYPTED_MESSAGE in case of FPs.
>
> If it were
>
> meta   ENCRYPTED_MESSAGE __ENCRYPTED_MESSAGE
>
> I'd agree, but the the current definition has clearly been set up to
> allow additional tests to be added to  ENCRYPTED_MESSAGE.

Correct.

__CT_ENCRYPTED is the basic test for the MIME type and is intended
for use in metas.

ENCRYPTED_MESSAGE is what score to apply to that, potentially with FP (or
in this case spam) avoidance filters. Generally those are added by seeing
what else hits in the masscheck results.


--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Are you a mildly tech-literate politico horrified by the level of
   ignorance demonstrated by lawmakers gearing up to regulate online
   technology they don't even begin to grasp? Cool. Now you have a
   tiny glimpse into a day in the life of a gun owner.   -- Sean Davis
-----------------------------------------------------------------------
  Tomorrow: SWMBO's Birthday