[Rspamd-Users] fuzzy denied (high score in gif)

Alexander Moisseev moiseev+rspamd-users at mezonplus.ru
Tue Oct 30 19:48:42 UTC 2018


On 30.10.18 21:42, Emanuel Gonzalez wrote:
> Hi.!!
> 
> I understand that the "fuzzy" module analyzes all mail, including attachments. I have a doubt, which I could not solve previously.
> 
> Inside the mail analyzed there are 4 images with a very low size.
> 
46.2 KB (and even 11.1 KB) seems pretty big.

> image001.jpg (11.1 KB)image002.jpg (482 B)image003.gif (46.2 KB)image004.jpg (456 B)
> 
> is it convenient to increase the value of the "min_bytes" parameter?
> 
There is no simple answer for that, I am afraid, as always in finding a balance between false positives and false negatives.

> Is the hash malicious? Should I leave it on a whitelist?
> 
Sure, spammers can use the same images as legitimate senders. As the most important thing about "fuzzy" is avoiding of FPs, the general rule is to delist fuzzy hashes whenever you find it in legitimate mail.
So, yes,

> [FUZZY_DENIED(11.99){1:2462e1bc90:1.00:bin;}
> 
but you need to use the full hash to delist it.



More information about the Users mailing list