Please help with subject rule

[Roman Serbski <me...@gmail.com>]

Dear all,

Could you please help me with one SA subject rule that sometimes works
and sometimes doesn't.

SpamAssassin 3.0.2 with qmail-scanner 1.25st.

Everything works like a charm but we receive a lot of spam messages
from yahoo.com group with [expoforum_kg] subject.  I created a rule in
20_head_tests.cf to score all messages containing [expoforum_kg] in a
subject.  I know I shouldn't use global cf rules but I was just
testing.

20_head_tests.cf:

header EXPO_SUCKERS Subject =~ /\b(?:[a-z]([-_.
=~\/:,*!\@\#\$\%\^&+;\"\'<>\\])\1{0,2}){4,}/i
describe EXPO_SUCKERS Subject: contains [expoforum_kg]

50_scores.cf:

score EXPO_SUCKERS 10 10.05 10.07 10.09

Now the problem is that sometimes this rule works but sometimes it is
being ignored.

This is an example of successful detection:

Mon, 14 Mar 2005 18:11:21 KGT:40007: from='Neomarketing
<ro...@i4free.co.nz>', subj='[expoforum_kg] A D V E R T I S E - TO -
M I L
 L I O N S', via SMTP from 66.94.237.16
Mon, 14 Mar 2005 18:11:23 KGT:40007: uvscan: finished scan in 1.860183 secs
Mon, 14 Mar 2005 18:11:41 KGT:40007: SA: REPORT hits = 10.6/3.5
1.3 GAPPY_SUBJECT Subject: contains G.a.p.p.y-T.e.x.t
10 EXPO_SUCKERS Subject: contains [expoforum_kg]
1.3 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
0.5 TARGETED BODY: Targeted Traffic / Email Addresses

Mon, 14 Mar 2005 18:11:41 KGT:40007: SA: yup, this smells like SPAM -
hits=10.6 - rejecting message...
Mon, 14 Mar 2005 18:11:41 KGT:40007: SA: finished scan in 17.88551
secs - hits=10.6
Mon, 14 Mar 2005 18:11:41 KGT:40007: r_e: X-Qmail-Scanner-1.25st: We
have reasons to believe this mail is SPAM

This is an example of unsuccessful detection:

Tue, 15 Mar 2005 18:28:48 KGT:17412: from='Jodi Chu
<gu...@hotmail.com>', subj='[expoforum_kg] Paid ontime 50%
profit', via SMTP from 66.94.237.41
Tue, 15 Mar 2005 18:28:50 KGT:17412: uvscan: finished scan in 1.859957 secs
Tue, 15 Mar 2005 18:29:06 KGT:17412: SA: REPORT hits = 0.4/3.5
1.0 RATWARE_HASH_2_V2 Bulk email fingerprint (hash 2 v2) found
0.1 TO_EMPTY To: is empty
0.0 RATWARE_HASH_2 Bulk email fingerprint (hash 2) found
0.1 EXCUSE_3 BODY: Claims you can be removed from the list
0.0 EXCUSE_7 BODY: Claims you can be removed from the list
0.3 EXCUSE_REMOVE BODY: Talks about how to be removed from mailings
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: idv.st]
0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE

Tue, 15 Mar 2005 18:29:06 KGT:17412: SA: required_hits 3.5 /
sa_quarantine +2.1 / sa_delete +4.2
Tue, 15 Mar 2005 18:29:06 KGT:17412: SA: finished scan in 16.069264
secs - hits=0.4

Any ideas would be greatly appreciated.

Thank you.
Roman

Re: Please help with subject rule

[Evan Platt <ev...@espphotography.com>]

At 08:58 PM 3/17/2005, you wrote:

>Everything works like a charm but we receive a lot of spam messages
>from yahoo.com group with [expoforum_kg] subject.  I created a rule in
>20_head_tests.cf to score all messages containing [expoforum_kg] in a
>subject.  I know I shouldn't use global cf rules but I was just
>testing.

Unless I'm missing the point... expoforum_kg-unsubscribe@yahoogroups.com 
would be a much better solution. :)

Evan