You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Sergio <se...@gmail.com> on 2011/11/25 18:49:27 UTC
How long a rule can be?
I have the following rule where I wrote all the HELO spammers that SA
didn't caught, I insert the new HELO everytime that I found one. My concern
is, is too much for just one rule or the rule can grow without limit?
header CHARLY_RULE1 ALL =~
/(actaddonuniverse\.net|albeitnetworks\.com|allotic\.info|andersonbolt\.info|atefchoca\.info|backtobackfunding\.com|baskan\.info|betabel\.info|black-and-whiteticket\.info|bodygid\.info|brevardphysicians\.net|cheetloope\.info|circuitfivenine\.com|claimatic\.info|cmasyria\.com|complementhold\.com|CORE5PUMPER2|dauksstold\.info|dtsetfieri\.info|eshisha\.org|evegashotels\.com|felisranty\.info|finkleandthecleanshorts\.com|fisterfarms\.info|furium\.info|furizer\.info|gardenhowevercity\.net|grownvegetables\.com|hookerdaybyday\.info|hostalmiraflores\.com|hotrodbailbondsks\.com|juddy\.org|laughsidecant\.net|layeredvpnzervices\.com|lyonlandscapema\.com|maritimecranesimulator\.com|miiiley\.com|mixcomstar\.net|monitorstarway\.com|naturopathyport\.info|netcontrolusa\.com|pataboden\.info|peoriachat\.com|powerfulrun\.com|print2floors\.com|relacionesy\.com|slowlybuymorning\.info|stonyroadalbum\.com|straighttin\.info|sumejorweb\.com|surelycomplainsecretary\.info|teuksull\.info|theharborccc\.org|themiamibeachheat\.com|thoroughlydevelopment\.info|tivolicn\.com|whaukferth\.com|barrchickenjoint\.info)/i
describe CHARLY_RULE1 Charly Spammers
score CHARLY_RULE1 11
Regards,
Sergio
Re: How long a rule can be?
Posted by Axb <ax...@gmail.com>.
On 2011-11-25 18:49, Sergio wrote:
> I have the following rule where I wrote all the HELO spammers that SA
> didn't caught, I insert the new HELO everytime that I found one. My concern
> is, is too much for just one rule or the rule can grow without limit?
>
> header CHARLY_RULE1 ALL =~
> /(actaddonuniverse\.net|albeitnetworks\.com|allotic\.info|andersonbolt\.info|atefchoca\.info|backtobackfunding\.com|baskan\.info|betabel\.info|black-and-whiteticket\.info|bodygid\.info|brevardphysicians\.net|cheetloope\.info|circuitfivenine\.com|claimatic\.info|cmasyria\.com|complementhold\.com|CORE5PUMPER2|dauksstold\.info|dtsetfieri\.info|eshisha\.org|evegashotels\.com|felisranty\.info|finkleandthecleanshorts\.com|fisterfarms\.info|furium\.info|furizer\.info|gardenhowevercity\.net|grownvegetables\.com|hookerdaybyday\.info|hostalmiraflores\.com|hotrodbailbondsks\.com|juddy\.org|laughsidecant\.net|layeredvpnzervices\.com|lyonlandscapema\.com|maritimecranesimulator\.com|miiiley\.com|mixcomstar\.net|monitorstarway\.com|naturopathyport\.info|netcontrolusa\.com|pataboden\.info|peoriachat\.com|powerfulrun\.com|print2floors\.com|relacionesy\.com|slowlybuymorning\.info|stonyroadalbum\.com|straighttin\.info|sumejorweb\.com|surelycomplainsecretary\.info|teuksull\.info|theharborccc\
.org|themiamibeachheat\.com|thoroughlydevelopment\.info|tivolicn\.com|whaukferth\.com|barrchickenjoint\.info)/i
> describe CHARLY_RULE1 Charly Spammers
> score CHARLY_RULE1 11
just curious.. what are you trying to achieve by running these domains
through ALL headers?
catch senders? received headers?
Re: How long can a rule be?
Posted by John Hardin <jh...@impsec.org>.
On Wed, 30 Nov 2011, Sergio wrote:
> I use MailScanner to check on my emails and I have not yet found a way to
> train Bayes, I will check on that.
That's going to be critical.
> On the mean time, I have learned not to check in "ALL" headers, I have
> redefined my first rules and now I have seen a better approach on what I am
> doing, still need a lot more input from experts, :)
Avoid "poison pill" rules.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The Tea Party wants to remove the Crony from Crony Capitalism.
OWS wants to remove Capitalism from Crony Capitalism.
-- Astaghfirullah
-----------------------------------------------------------------------
15 days until Bill of Rights day
Re: How long can a rule be?
Posted by Sergio <se...@gmail.com>.
Thank you Adam,
I have been working hard in learning a lot of things about antispam rules
and I appreciate all the inputs that the list is giving to me.
I use MailScanner to check on my emails and I have not yet found a way to
train Bayes, I will check on that.
On the mean time, I have learned not to check in "ALL" headers, I have
redefined my first rules and now I have seen a better approach on what I am
doing, still need a lot more input from experts, :)
Regards,
Sergio
On Tue, Nov 29, 2011 at 2:21 PM, Adam Katz <an...@khopis.com> wrote:
> Summary for the impatient:
> Do not write rules like this.
> Instead, train Bayes, make sure you're using DNSBLs.
>
> On 11/25/2011 09:49 AM, Sergio wrote:
> > I wrote all the HELO spammers that SA didn't caught
> ...
> > header CHARLY_RULE1 ALL =~ /(...)/i
> > describe CHARLY_RULE1 Charly Spammers
> > score CHARLY_RULE1 11
>
> Given the description in your email, that should probably be:
>
> header CHARLY_RULE1 X-Spam-Relays-Untrusted =~ / helo=(?:...) /i
> describe CHARLY_RULE1 A custom list of uncaught relay HELOs
> score CHARLY_RULE1 4
>
> You should be *very* careful about scoring any individual rule at or
> above the spam flagging threshold (default is 5, do not lower). There
> is almost always a better (and safer!) solution.
>
> > My concern is, is too much for just one rule or the rule can grow
> > without limit?
>
> Let's just say you don't need to worry about that. We have several 150+
> character rules on SA's trunk and I've seen rules with regexp lengths in
> the thousands (not that that's necessarily a good thing, but it does
> work, albeit slowly).
>
>
> Still, this seems like a really bad idea; one hammy HELO in there and
> the whole thing starts hurting. I think you'll be *far* better served
> by training bayes.
>
> You should also double check to ensure your DNS lookups are properly
> configured and plugins like Razor are turned on. We don't have the best
> of resources to walk you through this, but you can start with
> http://wiki.apache.org/spamassassin/DnsBlocklists#Questions_And_Answers
>
>
Re: How long can a rule be?
Posted by Adam Katz <an...@khopis.com>.
Summary for the impatient:
Do not write rules like this.
Instead, train Bayes, make sure you're using DNSBLs.
On 11/25/2011 09:49 AM, Sergio wrote:
> I wrote all the HELO spammers that SA didn't caught
...
> header CHARLY_RULE1 ALL =~ /(...)/i
> describe CHARLY_RULE1 Charly Spammers
> score CHARLY_RULE1 11
Given the description in your email, that should probably be:
header CHARLY_RULE1 X-Spam-Relays-Untrusted =~ / helo=(?:...) /i
describe CHARLY_RULE1 A custom list of uncaught relay HELOs
score CHARLY_RULE1 4
You should be *very* careful about scoring any individual rule at or
above the spam flagging threshold (default is 5, do not lower). There
is almost always a better (and safer!) solution.
> My concern is, is too much for just one rule or the rule can grow
> without limit?
Let's just say you don't need to worry about that. We have several 150+
character rules on SA's trunk and I've seen rules with regexp lengths in
the thousands (not that that's necessarily a good thing, but it does
work, albeit slowly).
Still, this seems like a really bad idea; one hammy HELO in there and
the whole thing starts hurting. I think you'll be *far* better served
by training bayes.
You should also double check to ensure your DNS lookups are properly
configured and plugins like Razor are turned on. We don't have the best
of resources to walk you through this, but you can start with
http://wiki.apache.org/spamassassin/DnsBlocklists#Questions_And_Answers