You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by James Wilkinson <sa...@aprilcottage.co.uk> on 2019/08/13 10:03:25 UTC
__FRAUD_JBU and __FRAUD_TCC
Hello all you happy people,
While debugging a FP on ADVANCE_FEE_3_NEW, I noticed that it included
body __FRAUD_JBU /\bforeign account\b/i
and
body __FRAUD_TCC /foreign (?:offshore )?(?:bank|account)/i
Correct me if I'm wrong, but won't anything matching __FRAUD_JBU also
match __FRAUD_TCC? It also means that the phrase "foreign account" has
twice the weight of "computer ballot system", "affidavits" or "as the
beneficiary", which seems wrong.
https://svn.apache.org/repos/asf/spamassassin/trunk/rules/20_advance_fee.cf
is the file in SVN trunk.
Is this worth raising as a bug (or improvement request)? Could someone
try variants of the ADVANCE_FEE rules without __FRAUD_JBU and see if
it performs better?
Unfortunately, I can't see enough of the original email, and would be
unlikely to have permission to supply it if I did.
Thanks,
James.
Re: __FRAUD_JBU and __FRAUD_TCC
Posted by John Hardin <jh...@impsec.org>.
On Tue, 13 Aug 2019, James Wilkinson wrote:
> Hello all you happy people,
>
> While debugging a FP on ADVANCE_FEE_3_NEW, I noticed that it included
> body __FRAUD_JBU /\bforeign account\b/i
> and
> body __FRAUD_TCC /foreign (?:offshore )?(?:bank|account)/i
The _NEW rules don't reference __FRAUD_JBU, so the double-scoring isn't an
issue for them. The older rules do reference both, but they are commented
out because the _NEW rules replace them.
Unless those subrules are used separately in two different scored rules,
they don't double-score the message. Something like this won't hit twice:
meta FNORD __FRAUD_JBU || __FRAUD_TCC
The only place I see __FRAUD_JBU being used in all of the base rules is in
the commented-out old ADVANCE_FEE rules. This suggests if that *is* the
source of your FP, it's being used in a local rule.
> https://svn.apache.org/repos/asf/spamassassin/trunk/rules/20_advance_fee.cf
> is the file in SVN trunk.
The current rules are in
../svn/trunk/rulesrc/sandbox/jhardin/20_advance_fee_reevolved.cf
meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD +
__BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL +
DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC
+ __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU +
__FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP +
__FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK +
__FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY +
__FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT +
__FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC +
__FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT +
__INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 +
LOTTO_AGENT + LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED +
LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER +
__NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT +
__THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY
+ __YOU_ASSIST + __YOU_INHERIT + __YOUR_FUND + __YOUR_PERM + __YOU_WON >
2) && !__THREAD_INDEX_GOOD
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
2 days until the 74th anniversary of the end of World War II
Re: __FRAUD_JBU and __FRAUD_TCC
Posted by RW <rw...@googlemail.com>.
On Tue, 13 Aug 2019 11:03:25 +0100
James Wilkinson wrote:
> Hello all you happy people,
>
> While debugging a FP on ADVANCE_FEE_3_NEW, I noticed that it included
> body __FRAUD_JBU /\bforeign account\b/i
> and
> body __FRAUD_TCC /foreign (?:offshore )?(?:bank|account)/i
>
> Correct me if I'm wrong, but won't anything matching __FRAUD_JBU also
> match __FRAUD_TCC? It also means that the phrase "foreign account" has
> twice the weight of "computer ballot system", "affidavits" or "as the
> beneficiary", which seems wrong.
It's probably an oversight, but as ADVANCE_FEE_3_NEW has a threshold of
three sub-rules it could be intentional.
It's possible that __FRAUD_JBU was regarded as strong enough to only
require one piece of independent corroboration.
Re: __FRAUD_JBU and __FRAUD_TCC
Posted by John Hardin <jh...@impsec.org>.
On Tue, 13 Aug 2019, James Wilkinson wrote:
> Hello all you happy people,
>
> While debugging a FP on ADVANCE_FEE_3_NEW, I noticed that it included
> body __FRAUD_JBU /\bforeign account\b/i
> and
> body __FRAUD_TCC /foreign (?:offshore )?(?:bank|account)/i
>
> Correct me if I'm wrong, but won't anything matching __FRAUD_JBU also
> match __FRAUD_TCC? It also means that the phrase "foreign account" has
> twice the weight of "computer ballot system", "affidavits" or "as the
> beneficiary", which seems wrong.
>
> https://svn.apache.org/repos/asf/spamassassin/trunk/rules/20_advance_fee.cf
> is the file in SVN trunk.
>
> Is this worth raising as a bug (or improvement request)? Could someone
> try variants of the ADVANCE_FEE rules without __FRAUD_JBU and see if
> it performs better?
Raising it here on the list first is the correct procedure. I'll take a
look at it.
> Unfortunately, I can't see enough of the original email, and would be
> unlikely to have permission to supply it if I did.
Not a problem, noting the dupe is sufficient.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
2 days until the 74th anniversary of the end of World War II