Re: Over Zealous Checks for Nigerian 419 Scams

[Justin Mason <jm...@jmason.org>]

please feel free to pass on more FP samples for these rules -- so
far we clearly don't have enough, given those scores!

--j.

Rick Mallett writes:
> We run a centralized spam filtering filtering facility using
> SpamAssassin and Mimedefang and we bounce (refuse receipt of) messages
> that score higher than 10 and we've been doing this for several years
> and never had any complaints of FP's from our users.
> 
> However, one of our users was having trouble receiving a newsletter
> from Zimbabwe and the mail logs showed that some of the messages were
> scoring a bit over 11 and being refused for that reason.
> 
> When I finally managed to get a copy of the newsletter and run it
> through SpamAssassin manually I was surprised to discover that the
> bulk of the points came from the checks in 20_advance_fee.cf which are
> attempting to identify Nigerian 419 scams and which appear to be far
> too aggressive IMO and likely to result in lots of FPs for certain
> types of message.
> 
> It also picked up a few points from 99_sare_fraud_post25x.cf and I'm
> also wondering if maybe those rules are inappropriate with SA 3.1.7
> which is what I'm running.
> 
> For example, the newsletter, which consisted of several articles
> dealing with corruption in Zimbabwe and information about banking
> rules and regulations received just under 8.5 points because it had
> the words "remit", "business partner", "dollar", "in your country" and
> "US$3 million".
> 
> Here are the relevant lines from the debug run
> 
> dbg: rules: ran body rule __FRAUD_WNY ======> got hit: "remit"
> dbg: rules: ran body rule __FRAUD_TDP ======> got hit: "business partner"
> dbg: rules: ran body rule __FRAUD_DBI ======> got hit: "dollar"
> dbg: rules: ran body rule __FRAUD_IPK ======> got hit: "in your country"
> dbg: rules: ran body rule __FRAUD_KDT ======> got hit: "US$3 million"
> 
> and here are the scores for having more than 2, 3, 4, and 5 hits on the
> various __FRAUD__xxx META rules such as those shown above.
> 
> score ADVANCE_FEE_1 0 0 0.114 0
> score ADVANCE_FEE_2 1.607 0.647 1.189 1.392
> score ADVANCE_FEE_3 2.872 1.760 3.330 3.336
> score ADVANCE_FEE_4 3.024 3.040 3.515 3.727
> 
> As you can see having those 5 words and/or phrases results in 8.455
> points because all 4 rules succeed and contribute points to the spam
> score,  whereas it would seem logical that only the one rule with the
> highest points should apply, or the points should be a bit lower
> to reduce the cumulative affect of hits on all of the rules.
> 
> The newsletter also picked up an additional 1.67 points because
> of hits on the following META rules in 99_sare_fraud_post25x.cf which
> triggered SARE_FRAUD_X3
> 
> dbg: rules: ran body rule __SARE_FRAUD_MONEY ======> got hit: "money transfer"
> dbg: rules: ran body rule __SARE_FRAUD_LOC ======> got hit: " Zimbabwe "
> dbg: rules: ran body rule __SARE_FRAUD_TINHORN ======> got hit: " Mugabe "
> dbg: rules: ran body rule __SARE_FRAUD_MISC ======> got hit: "your country"
> 
> which in one case "your country" is a META rule that also ended up
> contributing points via 20_advance_fee.cf so I'm now thinking I 
> should stop using 99_sare_fraud_post25x.cf.
> 
> BTW, I've included some of the sentences from the newsletter that
> triggered hits on the various META rules in 20_advance_fee.cf so that
> you can see that they are all rather benign.
> 
> MTAs mushroomed in Zimbabwe since 2004 and have primarily served as a
> channel for the more than three million Zimbabweans, or more than a
> quarter of the country's population, living and working abroad to
> remit cash back home through official banking system.
> 
> Former MP and businessman Tirivanhu Mudariki, who together with senior
> government officials including Vice-President Joice Mujuru, have been linked
> to the Ziscosteel looting saga, is a key business partner of the Mujuru
> family.
> 
> However closure of MTAs appeared to have had little impact on the
> black market which has continued to flourish with the American dollar
> now fetching anything above Z$2 000 compared to the official market
> rate of one greenback to Z$250.
> 
> Tekere said wistfully that people in your country have more money than
> we have.
> 
> NECI investigators who went to Botswana to probe the Zisco graft
> discovered plans were already under way to sell the two subsidiaries
> for US$3 million to undisclosed buyers by repaying their parent firm
> funds that were used to controversially purchase them in 2001.
> 
> - rick

Re: Over Zealous Checks for Nigerian 419 Scams

[Nigel Frankcom <ni...@blue-canoe.net>]

On Mon, 04 Dec 2006 16:12:01 -0500 (EST), Rick Mallett
<rm...@ccs.carleton.ca> wrote:

>What's the proper way to submit material for the ham corpus?
>
>I've got the entire newsletter that resulted in the "Nigerian Scam" 
>FP I reported but I wasn't sure if it was appropriate to include it in
>the posting.
>
>Its only about 3 pages long but its got both a plain text and an HTML
>component and its about 50KB in size.
>
>- rick
>
>On Mon, 4 Dec 2006, Justin Mason wrote:
>
>>
>> please feel free to pass on more FP samples for these rules -- so
>> far we clearly don't have enough, given those scores!
>>
>> --j.
>>
>
>[deleted]

What's the method for submitting false negatives to that particular
corpus? I got 6 of em in one day last week - that's usually my entire
spam quotient for a month; that they came to my personal account added
insult to injury :-D

Keep doing what you do, it sure as hell makes my life easier.

Kind regards

Nigel

Re: Over Zealous Checks for Nigerian 419 Scams

[Chris Purves <ch...@northfolk.ca>]

Rick Mallett wrote:
> What's the proper way to submit material for the ham corpus?
> 

I have never done it myself, by I found this in the wiki:

http://wiki.apache.org/spamassassin/UploadedCorpora

-- 
Chris

Re: Over Zealous Checks for Nigerian 419 Scams

[Rick Mallett <rm...@ccs.carleton.ca>]

What's the proper way to submit material for the ham corpus?

I've got the entire newsletter that resulted in the "Nigerian Scam" 
FP I reported but I wasn't sure if it was appropriate to include it in
the posting.

Its only about 3 pages long but its got both a plain text and an HTML
component and its about 50KB in size.

- rick

On Mon, 4 Dec 2006, Justin Mason wrote:

>
> please feel free to pass on more FP samples for these rules -- so
> far we clearly don't have enough, given those scores!
>
> --j.
>

[deleted]