You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Robert Menschel <Ro...@Menschel.net> on 2005/05/03 08:32:31 UTC
[SARE] Obfuscation
Finally! The first release of SARE's new obfuscation rules are
available.
I haven't had time to update the web site -- I'll do that tomorrow
evening.
This is the rule set that will catch many of the current spate of spam
that try to avoid rules by misspelling words, and/or by inserting
spaces, punctuation, and digits where they don't belong.
Such activity is, of course, natural spam sign, and this rule set will
take advantage of it.
Bob Menschel
> SARE Obfuscation Ruleset for SpamAssassin -- file 0
> Version: 01.00.00
> Created: 2005-05-02
> Modified: 2005-05-02
> Usage instructions and documentation in 70_sare_obfu0.cf
> Full Revision History / Change Log in 70_sare_obfu.log
>
> License: Artistic - see http://www.rulesemporium.com/license.txt
> Current Maintainer: by committee - header_abuse@rulesemporium.com
> Current Home: http://www.rulesemporium.com/rules/70_sare_obfu0.cf
File 1 is, of course, at
http://www.rulesemporium.com/rules/70_sare_obfu1.cf
> Usage: This family of files, 70_sare_obfu*.cf, contain rules that
> test for common types of obfuscation, and for commonly obfuscated
> words in subject headers and email bodies.
>
> Note: As of version 00.01.00, 2005-04-30, Only files obfu0.cf and
> obfu1.cf exist. Testing of additional words is on-going, and we
> expect these files/rules to grow quickly.
>
> WARNING: As with many obfuscation rules and files, many of the rules
> in this family are language-dependent, most specifically
> English-dependent, and in some areas, American-dependent. Be very
> careful if applying any of these files on systems where large
> numbers of emails are non-English. And if/when you find non-spam
> that hits these rules, please send copies to SARE so we can adjust
> our scores.
>
> WARNING 2: Despite our best efforts at keeping the performance
> impact within reason, these rules files WILL slow down your email
> processing. Systems that are tight on resources, or that have
> trouble keeping up with the email flow, will want to think twice or
> thrice.
>
> File 0: 70_sare_obfu0.cf -- These are obfuscation rules that hit at
> least 10 spam and no ham. While SARE cannot guarantee they never
> will hit ham, they have not hit ham in any SARE mass-check, against
> tens of thousands of ham. This is a rules file we expect any/all
> email systems using SpamAssassin to benefit from.
> Note! Some of these rules WILL hit ham, if words in ham are
> misspelled in just the right (wrong?) way. We cannot tell you that
> it won't happen -- all we can say is that WE haven't seen those
> misspellings yet. Fortunately, we see from our experience that ham
> should not have more than one such misspelling in any one email.
> Therefore even a rule score of 3.0 (our highest score) should not
> cause any email to be flagged as spam unless it starts out as a
> spammy ham.
>
> File 1: 70_sare_obfu1.cf -- These are obfuscation rules that meet
> one of the follow criteria:
> a) Rules that do, or in the past have hit ham during SARE mass-check
> tests
> b) Rules that hit no ham and currently do not hit more than 10 spam
> in any single mass-check run.
> If the rules hit ham, they hit at last 10 spam to each 1 ham. With
> few exceptions these rules score significantly less than the rules
> in file 0. Systems which are very sensitive to false positives
> and/or need to be very careful about resource use may want to
> exclude this ruleset, pick and choose among its rules, or lower
> their scores. Systems that use this file 1 should ALSO use file 0.
[SARE] Whiltelist updated
Posted by Robert Menschel <Ro...@Menschel.net>.
Just a quick note that the SARE whitelist rules file has been updated.
Documentation available at http://www.rulesemporium.com/rules.htm
The purpose of this rules file is to use the whitelist_from_rcvd to
avoid false positives for services that we know do not send out spam.
It's suitable for use by any and all systems.
Because it uses the whitelist_from_rcvd directive, it can also be used
in any individual user's user_prefs file.
Contributions of additional whitelist entries are more than welcome.
Likewise, if you should happen to find any spam flagged by any of
these entries, please send that spam to me so the entry can be removed
or fixed.
Bob Menschel
[SARE] Rules update: genlsubj and obfu
Posted by Robert Menschel <Ro...@Menschel.net>.
Just a quick note that the SARE subject rules and obfuscation rules
have been updated. Documentation available at
http://www.rulesemporium.com/rules.htm
Note: Many of the subject rules were testing for obfuscations within
the subject headings. These have been moved to the obfuscation rules
files, and renamed appropriately. Systems that have been depending on
these obfuscation rules within the subject files should pull in at
least obfu file 0 and possibly obfu file 1.
Bob Menschel