Over Zealous Checks for Nigerian 419 Scams

[Rick Mallett <rm...@ccs.carleton.ca>]

We run a centralized spam filtering filtering facility using
SpamAssassin and Mimedefang and we bounce (refuse receipt of) messages
that score higher than 10 and we've been doing this for several years
and never had any complaints of FP's from our users.

However, one of our users was having trouble receiving a newsletter
from Zimbabwe and the mail logs showed that some of the messages were
scoring a bit over 11 and being refused for that reason.

When I finally managed to get a copy of the newsletter and run it
through SpamAssassin manually I was surprised to discover that the
bulk of the points came from the checks in 20_advance_fee.cf which are
attempting to identify Nigerian 419 scams and which appear to be far
too aggressive IMO and likely to result in lots of FPs for certain
types of message.

It also picked up a few points from 99_sare_fraud_post25x.cf and I'm
also wondering if maybe those rules are inappropriate with SA 3.1.7
which is what I'm running.

For example, the newsletter, which consisted of several articles
dealing with corruption in Zimbabwe and information about banking
rules and regulations received just under 8.5 points because it had
the words "remit", "business partner", "dollar", "in your country" and
"US$3 million".

Here are the relevant lines from the debug run

dbg: rules: ran body rule __FRAUD_WNY ======> got hit: "remit"
dbg: rules: ran body rule __FRAUD_TDP ======> got hit: "business partner"
dbg: rules: ran body rule __FRAUD_DBI ======> got hit: "dollar"
dbg: rules: ran body rule __FRAUD_IPK ======> got hit: "in your country"
dbg: rules: ran body rule __FRAUD_KDT ======> got hit: "US$3 million"

and here are the scores for having more than 2, 3, 4, and 5 hits on the
various __FRAUD__xxx META rules such as those shown above.

score ADVANCE_FEE_1 0 0 0.114 0
score ADVANCE_FEE_2 1.607 0.647 1.189 1.392
score ADVANCE_FEE_3 2.872 1.760 3.330 3.336
score ADVANCE_FEE_4 3.024 3.040 3.515 3.727

As you can see having those 5 words and/or phrases results in 8.455
points because all 4 rules succeed and contribute points to the spam
score,  whereas it would seem logical that only the one rule with the
highest points should apply, or the points should be a bit lower
to reduce the cumulative affect of hits on all of the rules.

The newsletter also picked up an additional 1.67 points because
of hits on the following META rules in 99_sare_fraud_post25x.cf which
triggered SARE_FRAUD_X3

dbg: rules: ran body rule __SARE_FRAUD_MONEY ======> got hit: "money transfer"
dbg: rules: ran body rule __SARE_FRAUD_LOC ======> got hit: " Zimbabwe "
dbg: rules: ran body rule __SARE_FRAUD_TINHORN ======> got hit: " Mugabe "
dbg: rules: ran body rule __SARE_FRAUD_MISC ======> got hit: "your country"

which in one case "your country" is a META rule that also ended up
contributing points via 20_advance_fee.cf so I'm now thinking I 
should stop using 99_sare_fraud_post25x.cf.

BTW, I've included some of the sentences from the newsletter that
triggered hits on the various META rules in 20_advance_fee.cf so that
you can see that they are all rather benign.

MTAs mushroomed in Zimbabwe since 2004 and have primarily served as a
channel for the more than three million Zimbabweans, or more than a
quarter of the country's population, living and working abroad to
remit cash back home through official banking system.

Former MP and businessman Tirivanhu Mudariki, who together with senior
government officials including Vice-President Joice Mujuru, have been linked
to the Ziscosteel looting saga, is a key business partner of the Mujuru
family.

However closure of MTAs appeared to have had little impact on the
black market which has continued to flourish with the American dollar
now fetching anything above Z$2 000 compared to the official market
rate of one greenback to Z$250.

Tekere said wistfully that people in your country have more money than
we have.

NECI investigators who went to Botswana to probe the Zisco graft
discovered plans were already under way to sell the two subsidiaries
for US$3 million to undisclosed buyers by repaying their parent firm
funds that were used to controversially purchase them in 2001.

- rick