You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Jeff Koch <je...@intersessions.com> on 2004/12/14 19:09:29 UTC
blank subject and contents
Hi:
We're getting hit with a lot of emails with blank subject lines and blank
contents. Could be some kind of address verification robot. Is SA supposed
to filter these? If not, does anyone have some custom rules that would do it?
Best Regards,
Jeff Koch
Re: blank subject and contents
Posted by Theo Van Dinter <fe...@kluge.net>.
On Wed, Feb 02, 2005 at 06:17:57PM -0800, Robert Menschel wrote:
> An S/O of 0.812 for SARE_EMPTY_SUBJ_BODY is maybe worth a point or so,
> but it's not a strong enough indicator of spam to be worth much.
Ewww! (I'd just delete things around 0.8...)
It doesn't hit a ton, but there is a rule in 3.1 to catch these:
OVERALL% SPAM% HAM% S/O RANK SCORE NAME
190919 170010 20909 0.890 0.00 0.00 (all messages)
1.299 1.4587 0.0000 1.000 0.82 1.00 EMPTY_MESSAGE
It requires code from 3.1, so it's not any use in 3.0, but ... FYI. :)
--
Randomly Generated Tagline:
"In the universe, great acts are made up of small deeds." - Lao Tzu
Re: blank subject and contents
Posted by Robert Menschel <Ro...@Menschel.net>.
Hello Jeff,
Tuesday, December 14, 2004, 10:09:29 AM, you wrote:
JK> We're getting hit with a lot of emails with blank subject lines and blank
JK> contents. Could be some kind of address verification robot. Is SA supposed
JK> to filter these? If not, does anyone have some custom rules that would do it?
I finally got around to testing these rules:
header SARE_SUBJ exists:Subject
meta SARE_NO_SUBJ !SARE_SUBJ
header SARE_SUBJ Subject =~ m'\S'
meta SARE_BLANK_SUBJ !SARE_SUBJ
body SARE_BODY m'\S'
meta SARE_BODY_BLANK !SARE_BODY
meta SARE_EMPTY_SUBJ_BODY ( SARE_NO_SUBJ || SARE_BLANK_SUBJ ) && SARE_BODY_BLANK
OVERALL% SPAM% HAM% S/O RANK SCORE NAME
95115 59678 35437 0.627 0.00 0.00 (all messages)
100.000 62.7430 37.2570 0.627 0.00 0.00 (all messages as %)
2.295 3.3094 0.5870 0.849 0.00 1.00 SARE_BLANK_SUBJ
0.139 0.1843 0.0621 0.748 0.00 1.00 SARE_BODY_BLANK
2.295 3.3094 0.5870 0.849 0.00 1.00 SARE_NO_SUBJ
0.130 0.1826 0.0423 0.812 0.00 1.00 SARE_EMPTY_SUBJ_BODY
99.861 99.8157 99.9379 0.500 0.00 1.00 SARE_BODY
97.705 96.6906 99.4130 0.493 0.00 1.00 SARE_SUBJ
An S/O of 0.812 for SARE_EMPTY_SUBJ_BODY is maybe worth a point or so,
but it's not a strong enough indicator of spam to be worth much.
Bob Menschel
Re: blank subject and contents
Posted by Loren Wilton <lw...@earthlink.net>.
> We're getting hit with a lot of emails with blank subject lines and blank
> contents. Could be some kind of address verification robot. Is SA supposed
> to filter these? If not, does anyone have some custom rules that would do
it?
My theory is this is the result of some newbie spammer that doesn't know how
to drive the spam tool and screwed up the configuration.
SA doesn't have a blank message rule, but SARE does. Don't recall which
ruleset it is in, but someone (maybe Bob) posted the rule last week.
Loren
Re: blank subject and contents
Posted by Stuart Johnston <st...@ebby.com>.
Jeff Koch wrote:
>
> Hi:
>
> We're getting hit with a lot of emails with blank subject lines and
> blank contents. Could be some kind of address verification robot. Is SA
> supposed to filter these? If not, does anyone have some custom rules
> that would do it?
I asked about this last week, search for "blank message".
In summary, you will probably want something like:
rawbody __HAS_BODY /\S/
meta LOCAL_EMPTY_MESSAGE (!__HAS_BODY && SARE_TOCC_NONE)
You'll need SARE's 70_sare_header3.cf. The main problem is that the
body rules (even rawbody) are processed after attachments have been
removed so you may hit some ham that only has an attachment. The
SARE_TOCC_NONE should help avoid the ham hits.
Stuart Johnston
Ebby Halliday, Realtors