You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2008/09/15 11:36:06 UTC
Re: Erroneous doubled letters in subject
good tip! I've just added PR_TD_NOWRAP and PR_TD_NOWRAP_BAT to test these
out...
Randal, Phil writes:
> I clobber these by noticing that they claime to be sent via "The Bat!"
> and have the html code "td nowrap" in their body.
>
> Combine the two in a meta rule and give it a high score.
>
> I'm seeing no false positives here.
>
> Phil
>
> --
> Phil Randal
> Networks Engineer
> Herefordshire Council
> Hereford, UK
>
> -----Original Message-----
> From: Kenneth Porter [mailto:shiva@sewingwitch.com]
> Sent: 15 September 2008 10:10
> To: users@spamassassin.apache.org
> Subject: Erroneous doubled letters in subject
>
> I've noticed a spam that always has the same subject line except that
> random letters or digits are doubled. Is there a plugin that can detect
> this pattern? Something where I can give it the "ideal" string and it
> will check the header for that string with potentially doubled
> characters?
>
> Here's the Subject I've been seeing a lot of:
>
> New online CASINO bonus (get 1800 bucks instantly)
RE: Erroneous doubled letters in subject
Posted by RobertH <ro...@abbacomm.net>.
>
>
> ok, the rule-QA results are in:
>
> http://ruleqa.spamassassin.org/?daterev=20080916-r695772-
> n&rule=%2FTD_NOWRAP&srcpath=rulesrc%2Fsandbox%2Fjm%2F20_basic&g=Change
>
> MSECS SPAM% HAM% S/O RANK SCORE NAME WHO/AGE
> 0.00000 0.1669 0.0000 1.000 0.77 0.01 T_PR_TD_NOWRAP_BAT
> 0.00000 0.1684 0.1352 0.555 0.65 0.01 T_PR_TD_NOWRAP
>
> so T_PR_TD_NOWRAP_BAT doesn't lose much in the way of hitrate, well
> worth it.
>
> --j.
Jm
Thanks for the heads up.
Im still a little confused on this ruleset mod though.
Was it just the last 4 lines of the SVN ruleset jm sandbox 20_basic.cf that
was posted recently?
AND
Do we need to add it manually or just wait for an sa-update to run?
- rh
RE: Erroneous doubled letters in subject
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Tuesday, September 16, 2008 10:16 AM +0100 "Randal, Phil"
<pr...@herefordshire.gov.uk> wrote:
> I should make clear that PR_TD_NOWRAP does hit some ham here, so perhaps
> it would be better named __PR_TD_NOWRAP.
What sources the ham that hits? What legitimately stuffs that string in
email?
Is it legal HTML?
RE: Erroneous doubled letters in subject
Posted by "Randal, Phil" <pr...@herefordshire.gov.uk>.
I should make clear that PR_TD_NOWRAP does hit some ham here, so perhaps
it would be better named __PR_TD_NOWRAP.
Over the last week here, the figures are
mxo:
PR_TD_NOWRAP_BAT 1094, no fps
PR_TD_NOWRAP only 324, over 300 ham
mx1:
PR_TD_NOWRAP_BAT 1236, no fps
PR_TD_NOWRAP only 271, over 250 ham
Cheers,
Phil
--
Phil Randal
Networks Engineer
Herefordshire Council
Hereford, UK
-----Original Message-----
From: Kenneth Porter [mailto:shiva@sewingwitch.com]
Sent: 15 September 2008 18:39
To: users@spamassassin.apache.org
Subject: Re: Erroneous doubled letters in subject
--On Monday, September 15, 2008 10:36 AM +0100 Justin Mason
<jm...@jmason.org>
wrote:
> good tip! I've just added PR_TD_NOWRAP and PR_TD_NOWRAP_BAT to test
> these out...
Cool! I've added it as a test rule in my environment and will bump up
the score once I see how it goes.
For others looking for the rule, see here:
<http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_bas
ic.cf?revision=695394&view=markup>
RE: Erroneous doubled letters in subject
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Monday, September 15, 2008 1:26 PM -0700 RobertH
<ro...@abbacomm.net> wrote:
> Are these rules we can keep there indefinitely, or do they get migrated
> into future SA releases and should be removed?
>
> Also, I notice on SA 3.2.5 there were several linting issues.
>
> Ill look closer at the warnings soon yet are others seeing the same?
I don't grab the whole file from Subversion. I just cherry-pick the rules I
want to try and copy them into a .cf file to try out. Otherwise I'd have to
study the whole file to make sure I had all the dependencies satisfied, and
I don't feel like doing that level of QA.
RE: Erroneous doubled letters in subject
Posted by RobertH <ro...@abbacomm.net>.
>
> Cool! I've added it as a test rule in my environment and will bump up the
> score once I see how it goes.
>
> For others looking for the rule, see here:
>
> <http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_basic
> .cf?revision=695394&view=markup>
>
Are these rules we can keep there indefinitely, or do they get migrated into
future SA releases and should be removed?
Also, I notice on SA 3.2.5 there were several linting issues.
Ill look closer at the warnings soon yet are others seeing the same?
- rh
Re: Erroneous doubled letters in subject
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Monday, September 15, 2008 10:36 AM +0100 Justin Mason <jm...@jmason.org>
wrote:
> good tip! I've just added PR_TD_NOWRAP and PR_TD_NOWRAP_BAT to test these
> out...
Cool! I've added it as a test rule in my environment and will bump up the
score once I see how it goes.
For others looking for the rule, see here:
<http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_basic.cf?revision=695394&view=markup>