score's and custom rules

[Jimmy Stewpot <qm...@oranged.to>]

Hello,

I am currently trying to configure spam assassin with some custom rules 
to block certain words which are being used in a large amount of spam 
that the email servers receive. When I put the following rules into the 
local.cf file

body VIjAGRA /\bVIjAGRA\b/i
score VIjAGRA 3.0
describe VIjAGRA VIAGRA_SPAM


I can see from the mail logs that the email is now seeing that the term 
is used in the email but the score is not being increased as the email 
passes through the spamassassin process. Here is the log file



Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message 
<BA...@phx.gbl> for clamav:89
Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) for 
clamav:89 in 1.3 seconds, 1293 bytes.
Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 - 
AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA 
scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=51601,mid=<BA...@phx.gbl>,bayes=1.66533453693773e-16,autolearn=no

I am a little confused as to what is actually wrong with the rules to 
make it so that the score is not bieng incremented as the spam is being 
parsed by SA. Any advice would be greatly appreciated.

Regards,

Jimmy

Re: score's and custom rules

[Magnus Holmgren <ho...@lysator.liu.se>]

On Monday 17 July 2006 15:25, Jimmy Stewpot took the opportunity to write:
> JamesDR wrote:
> > I'm willing to bet that these two:
> > AWL,BAYES_00
> > Are killing your score.
> > Check why bayes thinks this is ham, I notice that it did not autolearn
> > (autolearn=no), I'm also willing to bet that your bayes DB is pretty
> > much hosed (it thinks this mail is def. ham -- the BAYES_00 hit)
> > Clear AWL, Clear and start from scratch on Bayes also (my recommendation
> > would be to turn off autolearn.)

It needn't be "hosed" if you sent a test message from yourself with 
just "VIjAGRA" in it.

> How do you clear the AWL and Bayes Lists is that just a case of deleting
> the files or is there some special command to do that ?

*If* it's so screwed up that you have to start over completely, that's the 
easiest way to do it.

-- 
Magnus Holmgren        holmgren@lysator.liu.se
                       (No Cc of list mail needed, thanks)

Re: score's and custom rules

[JamesDR <ja...@trusswood.net>]

Jimmy Stewpot wrote:
> Hello,
> 
> How do you clear the AWL and Bayes Lists is that just a case of deleting 
> the files or is there some special command to do that ?
> 
> Regards,
> 
> Jimmy
> 
> JamesDR wrote:
>> Jimmy Stewpot wrote:
>>> Hello,
>>>
>>> I am currently trying to configure spam assassin with some custom 
>>> rules to block certain words which are being used in a large amount 
>>> of spam that the email servers receive. When I put the following 
>>> rules into the local.cf file
>>>
>>> body VIjAGRA /\bVIjAGRA\b/i
>>> score VIjAGRA 3.0
>>> describe VIjAGRA VIAGRA_SPAM
>>>
>>>
>>> I can see from the mail logs that the email is now seeing that the 
>>> term is used in the email but the score is not being increased as the 
>>> email passes through the spamassassin process. Here is the log file
>>>
>>>
>>>
>>> Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message 
>>> <BA...@phx.gbl> for clamav:89
>>> Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) 
>>> for clamav:89 in 1.3 seconds, 1293 bytes.
>>> Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 - 
>>> AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA 
>>> scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=51601,mid=<BA...@phx.gbl>,bayes=1.66533453693773e-16,autolearn=no 
>>>
>>>
>>> I am a little confused as to what is actually wrong with the rules to 
>>> make it so that the score is not bieng incremented as the spam is 
>>> being parsed by SA. Any advice would be greatly appreciated.
>>>
>>> Regards,
>>>
>>> Jimmy
>>>
>>>
>> I'm willing to bet that these two:
>> AWL,BAYES_00
>> Are killing your score.
>> Check why bayes thinks this is ham, I notice that it did not autolearn 
>> (autolearn=no), I'm also willing to bet that your bayes DB is pretty 
>> much hosed (it thinks this mail is def. ham -- the BAYES_00 hit)
>> Clear AWL, Clear and start from scratch on Bayes also (my 
>> recommendation would be to turn off autolearn.)
> 
> 
That all depends on how they are stored.. Are you using SQL? then a 
simple DELETE FROM...should work.
Please post some info about how your bayes/awl db's are stored.

-- 
Thanks,
James

Re: score's and custom rules

[Jimmy Stewpot <qm...@oranged.to>]

Hello,

How do you clear the AWL and Bayes Lists is that just a case of deleting 
the files or is there some special command to do that ?

Regards,

Jimmy

JamesDR wrote:
> Jimmy Stewpot wrote:
>> Hello,
>>
>> I am currently trying to configure spam assassin with some custom 
>> rules to block certain words which are being used in a large amount of 
>> spam that the email servers receive. When I put the following rules 
>> into the local.cf file
>>
>> body VIjAGRA /\bVIjAGRA\b/i
>> score VIjAGRA 3.0
>> describe VIjAGRA VIAGRA_SPAM
>>
>>
>> I can see from the mail logs that the email is now seeing that the 
>> term is used in the email but the score is not being increased as the 
>> email passes through the spamassassin process. Here is the log file
>>
>>
>>
>> Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message 
>> <BA...@phx.gbl> for clamav:89
>> Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) 
>> for clamav:89 in 1.3 seconds, 1293 bytes.
>> Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 - 
>> AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA 
>> scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=51601,mid=<BA...@phx.gbl>,bayes=1.66533453693773e-16,autolearn=no 
>>
>>
>> I am a little confused as to what is actually wrong with the rules to 
>> make it so that the score is not bieng incremented as the spam is 
>> being parsed by SA. Any advice would be greatly appreciated.
>>
>> Regards,
>>
>> Jimmy
>>
>>
> I'm willing to bet that these two:
> AWL,BAYES_00
> Are killing your score.
> Check why bayes thinks this is ham, I notice that it did not autolearn 
> (autolearn=no), I'm also willing to bet that your bayes DB is pretty 
> much hosed (it thinks this mail is def. ham -- the BAYES_00 hit)
> Clear AWL, Clear and start from scratch on Bayes also (my recommendation 
> would be to turn off autolearn.)

Re: score's and custom rules

[JamesDR <ja...@trusswood.net>]

Jimmy Stewpot wrote:
> Hello,
> 
> I am currently trying to configure spam assassin with some custom rules 
> to block certain words which are being used in a large amount of spam 
> that the email servers receive. When I put the following rules into the 
> local.cf file
> 
> body VIjAGRA /\bVIjAGRA\b/i
> score VIjAGRA 3.0
> describe VIjAGRA VIAGRA_SPAM
> 
> 
> I can see from the mail logs that the email is now seeing that the term 
> is used in the email but the score is not being increased as the email 
> passes through the spamassassin process. Here is the log file
> 
> 
> 
> Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message 
> <BA...@phx.gbl> for clamav:89
> Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) for 
> clamav:89 in 1.3 seconds, 1293 bytes.
> Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 - 
> AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA 
> scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=51601,mid=<BA...@phx.gbl>,bayes=1.66533453693773e-16,autolearn=no 
> 
> 
> I am a little confused as to what is actually wrong with the rules to 
> make it so that the score is not bieng incremented as the spam is being 
> parsed by SA. Any advice would be greatly appreciated.
> 
> Regards,
> 
> Jimmy
> 
> 
I'm willing to bet that these two:
AWL,BAYES_00
Are killing your score.
Check why bayes thinks this is ham, I notice that it did not autolearn 
(autolearn=no), I'm also willing to bet that your bayes DB is pretty 
much hosed (it thinks this mail is def. ham -- the BAYES_00 hit)
Clear AWL, Clear and start from scratch on Bayes also (my recommendation 
would be to turn off autolearn.)
-- 
Thanks,
James

Re: score's and custom rules

[Magnus Holmgren <ho...@lysator.liu.se>]

On Monday 17 July 2006 15:11, Jimmy Stewpot took the opportunity to write:
> Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message
> <BA...@phx.gbl> for clamav:89
> Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) for
> clamav:89 in 1.3 seconds, 1293 bytes.
> Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 -
> AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA
> scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhos
>t.localdomain,raddr=127.0.0.1,rport=51601,mid=<BAY120-F24EC58985C9AF8FA1DEC3
>08D620@phx.gbl>,bayes=1.66533453693773e-16,autolearn=no
>
> I am a little confused as to what is actually wrong with the rules to
> make it so that the score is not bieng incremented as the spam is being
> parsed by SA. Any advice would be greatly appreciated.

There is nothing wrong. AWL and BAYES_00 pulls the score back down to 0.5.

-- 
Magnus Holmgren        holmgren@lysator.liu.se
                       (No Cc of list mail needed, thanks)

RE: score's and custom rules

["Coffey, Neal" <nc...@langeveld.com>]

 
Jimmy Stewpot wrote:
> Hello,
> 
> I am currently trying to configure spam assassin with some custom
rules 
> to block certain words which are being used in a large amount of spam 
> that the email servers receive. When I put the following rules into
the 
> local.cf file
> 
> body VIjAGRA /\bVIjAGRA\b/i
> score VIjAGRA 3.0
> describe VIjAGRA VIAGRA_SPAM

I've been getting the same junk mails you are, but I've also been
getting it as:
-VIAGvRA
-VIAGeRA
-VIeAGRA

Hence, I think this might be a better rule:
body	LOC_OBFU_VIAGRA
/\bV[a-z]?I[a-z]?A[a-z]?G[a-z]?R[a-z]?A\b/
score	LOC_OBFU_VIAGRA		3.0
describe	LOC_OBFU_VIAGRA	A lame attempt to obfuscate "viagra"

Rinse and repeat for CIALvIS, AMBIvEN, VALIvUM...or a rule that'll catch
them all in one:

body	LOC_OBFU_DRUGS
/\b[VCA][a-z]?[IMA][a-z]?[ABL][a-z]?[GLI][a-z]?[RIEU][a-z]?[ASNM]\b/
score	LOC_OBFU_DRUGS	3.0
describe LOC_OBFU_DRUGS	Attempting to hide one of the 5-letter drugs

I removed the "/i" option because they're showing up only with all caps
drugs and lowercase "insertions" for me, and without them, the rules
will match "viagra" just as much as "VIAGjRA".  Unless you're sure you
won't get any legitimate mail with any of these drug names in it, I'd
also change this to a subject header rule instead of a body rule.