You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Boyl <ro...@gmail.com> on 2018/03/27 14:24:02 UTC
Lots of money, score of 0??
Guys,
Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA
scores 0 and false negative. Imho it should score at least something, few
people would write Million dollars in an email, why not add up score?
LOTS_OF_MONEY 0.00
See https://pastebin.com/dY6iFeYL
Thanks!
Rob
Re: Lots of money, score of 0??
Posted by David Jones <dj...@ena.com>.
On 03/27/2018 09:24 AM, Robert Boyl wrote:
> Guys,
>
> Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA
> scores 0 and false negative. Imho it should score at least something,
> few people would write Million dollars in an email, why not add up score?
>
> LOTS_OF_MONEY 0.00
>
> See https://pastebin.com/dY6iFeYL
>
> Thanks!
> Rob
>
I score it about 2 points in my MailScanner instances with a block
threshold of 6.0. My local rules have a huge list of whitelist_auth
entries to cover the trustworthy senders that might hit this and other
"spammy" rules that aren't definite spam/poison pills.
--
David Jones
Re: Lots of money, score of 0??
Posted by John Hardin <jh...@impsec.org>.
On Tue, 27 Mar 2018, Robert Boyl wrote:
> Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA
> scores 0 and false negative. Imho it should score at least something, few
> people would write Million dollars in an email, why not add up score?
>
> LOTS_OF_MONEY 0.00
It's not *intended* to score by itself, it's intended to be used in metas
with other suspicious indicators. It's scored informative by itself just
to give an indicator in the rule hits list that a mention of large sums of
mney was present.
You are welcome to assign a score locally if you feel that way. I don't
think it's justified in the default rules.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Win95: Where do you want to go today?
Vista: Where will Microsoft allow you to go today?
-----------------------------------------------------------------------
5 days until April Fools' day
Re: Lots of money, score of 0??
Posted by RW <rw...@googlemail.com>.
On Thu, 29 Mar 2018 08:50:48 -0700 (PDT)
John Hardin wrote:
> On Thu, 29 Mar 2018, RW wrote:
>
> > The rule is matching on "$10.99 o" and "£1.70 2 6" respectively.
>
> Sadly that's kind of unavoidable given spammer obfuscation and the
> fact that cultures differ on what character to use for the decimal
> point and thousands separator.
>
> > I've seen other types too, e.g.
> >
> > https://example.com/?f=a37688909bc4f6
> >
> > £20 M&S voucher
>
> *that* is a bit unexpected...
It's understandable though because it's "£20 M" followed by a word
boundary.
The other one could be seen as a bug, __LOTSA_MONEY_01 is an ordinary
body rule, so a "=a3" that represent a "£" should have already been
decoded.
Re: Lots of money, score of 0??
Posted by John Hardin <jh...@impsec.org>.
On Thu, 29 Mar 2018, RW wrote:
> The rule is matching on "$10.99 o" and "£1.70 2 6" respectively.
Sadly that's kind of unavoidable given spammer obfuscation and the fact
that cultures differ on what character to use for the decimal point and
thousands separator.
> I've seen other types too, e.g.
>
> https://example.com/?f=a37688909bc4f6
>
> £20 M&S voucher
*that* is a bit unexpected...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Politicians never accuse you of "greed" for wanting other people's
money, only for wanting to keep your own money. -- Joseph Sobran
-----------------------------------------------------------------------
3 days until April Fools' day
Re: Lots of money, score of 0??
Posted by RW <rw...@googlemail.com>.
On Tue, 27 Mar 2018 12:12:50 -0400
Bill Cole wrote:
> On 27 Mar 2018, at 10:24, Robert Boyl wrote:
>
> > Guys,
> >
> > Do you usually tune up Lots of money rule? Strange, our
> > spamassassin/EFA
> > scores 0 and false negative. Imho it should score at least
> > something, few
> > people would write Million dollars in an email, why not add up
> > score?
> >
> > LOTS_OF_MONEY 0.00
> >
> > See https://pastebin.com/dY6iFeYL
>
> I see a very large number of legitimate and definitely wanted
> messages hitting the LOTS_OF_MONEY rule.
I had a look at a few of mine and most of them don't actually involve
huge sums of money, it's a very aggressive rule.
In a straightforward amount "LOTS" starts at $1000.01, but with
other digits or letter Os after it can be pushed down to $1.00.
e.g.
$10.99 on top of ...
1 Maris Piper Potatoes £1.70
2 6 Pork Sausages £4.50
The rule is matching on "$10.99 o" and "£1.70 2 6" respectively.
I've seen other types too, e.g.
https://example.com/?f=a37688909bc4f6
£20 M&S voucher
Re: Lots of money, score of 0??
Posted by Bill Cole <sa...@billmail.scconsult.com>.
On 27 Mar 2018, at 10:24, Robert Boyl wrote:
> Guys,
>
> Do you usually tune up Lots of money rule? Strange, our
> spamassassin/EFA
> scores 0 and false negative. Imho it should score at least something,
> few
> people would write Million dollars in an email, why not add up score?
>
> LOTS_OF_MONEY 0.00
>
> See https://pastebin.com/dY6iFeYL
I see a very large number of legitimate and definitely wanted messages
hitting the LOTS_OF_MONEY rule. 849 in my own mail in the past year,
excluding mail with quoted spam. This includes YOUR message asking about
it.