You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by "Shawn R. Beairsto" <sb...@dkl.com> on 2004/12/17 16:18:06 UTC

F.P. with SARE rule

Good morning everyone,

 

I just got a F.P. using one of the SARE rulesets, looks like the
SARE_SUB_PENIS_OB rule might need some tweaking. Seems like it fired
from the word pennies:

 

Content preview:  Pennies From Heaven The Daily Reckoning [...] 

 

Content analysis details:   (7.9 points, 5.0 required)

 

 pts rule name              description

---- ----------------------
--------------------------------------------------

 3.3 SARE_SUB_PENIS_OB      subject has obfuscated spammer topic

 1.9 LOW_INTEREST           BODY: Lower Interest Rates

 1.5 MORTGAGE_BEST          BODY: Information on mortgages

 1.2 BANG_MORE              BODY: Talks about more with an exclamation!

 0.0 HTML_MESSAGE           BODY: HTML included in message

 

-- 
Shawn Beairsto 
Network Administrator 
Data Kinetics Ltd. 
http://www.dkl.com

Re: F.P. with SARE rule

Posted by Matt Kettler <mk...@comcast.net>.

At 10:18 AM 12/17/2004 -0500, Shawn R. Beairsto wrote:
>I just got a F.P. using one of the SARE rulesets, looks like the 
>SARE_SUB_PENIS_OB rule might need some tweaking. Seems like it fired from 
>the word pennies:

Yep.. it's crap like that that makes me staunchly refuse to use .? as a 
gapping character..

It's really odd that this rule has an antidrug obfu style section AND a .? 
section.. I'd suggest splitting them up. This way the exemption words like 
pennies pencils, etc can all be handled only for the .? based rule.. the 
antidrug style obfu rule uses [\W_]? as a gap, and won't suffer from FPs on 
words like that, but it also won't catch anything obfuscated with 
extra-letter stuffing..