Stef Simoens | 9 Jun 02:08 2012

Razor2 problems


I don't see a lot of action on this list, I hope someone will read me here.
Is Razor2 still being used, by the way?

I'm seeing a lot of false positives with Razor2 scans on my domain.
I did some research (adding some verbosity printf's and running razor-check -d < false_positive_email).

I noticed the following facts:
- because in, line 655, the line-wrap kill is commented out, a lot of URL's are not found (in a
real-life e-mail only 3 URLs were found out of 14 URLs present in the e-mail)
- due to my domain name and the "canonify" function, all URLs on my domain are being
canonified to "". That wouldn't be bad, if the hash for that domain wouldn't be marked as being 100%
SPAM (e=8 sig=PhKPm4hzfMkA: Is spam: cf 100 >= min_cf 21).

Is this "Spam" an indicator for "bulk" or is it an indicator for "unsolicited e-mail"?
How can this situation be handled? (i.e. what are the rules for the hash to be considered non-spam?).

Thank you for your help/comments/advice/...

Stef Simoens hostmaster

Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
(Continue reading)