You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Mat Harris <ma...@genestate.com> on 2004/02/16 11:11:45 UTC

running mass-checl

Hi,
  Is there a special procedure for running mass-check with my custom
rules etc?

I have tried everything (different arguments, hacking source) but it still
seems to only use rules shipped with the tarball i got mass-check from.

I have cf's symlinked to /etc/mail/spamassassin and they score ok in test,
but they don't show up in freqs after running (nor do my backhair, bigevil
etc, which are in the smae dir).

thanks

-- 
Cats land on their feet. 
Toast lands jellyside down.
A cat glued to some jelly toast will hover in quantum indecision 
	
perl -e'$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: \
	12m m::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print' 

Yes, of course it's the right cabl [le0: NO CARRIER]

Re: running mass-check

Posted by Mat Harris <ma...@genestate.com>.

On Mon, Feb 16, 2004 at 09:35:14PM -0800, Robert Menschel wrote:
> Hello Mat,
> 
> Monday, February 16, 2004, 2:11:45 AM, you wrote:
> 
> MH> Hi,
> MH>   Is there a special procedure for running mass-check with my custom
> MH> rules etc?
> 
> My method is documented at http://www.exit0.us/index.php/BobCorpusTest
> 
> Bob Menschel

Thanks for the reply Bob, your shell script worked a treat without any modification
(i am running redhat 7.3 btw).

I can now see which rules are really working. I also like the suggested scoring and
am experimenting with that now.

I also appologise for the typo in my original mail subject, I've only just noticed.

thanks again

mat

-- 
Cats land on their feet. 
Toast lands jellyside down.
A cat glued to some jelly toast will hover in quantum indecision 

perl -e'$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: \
	12m m::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print' 

Yes, of course it's the right cabl [le0: NO CARRIER]

Re: running mass-checl

Posted by Robert Menschel <Ro...@Menschel.net>.

Hello Mat,

Monday, February 16, 2004, 2:11:45 AM, you wrote:

MH> Hi,
MH>   Is there a special procedure for running mass-check with my custom
MH> rules etc?

My method is documented at http://www.exit0.us/index.php/BobCorpusTest

Bob Menschel

Re: running mass-checl

Posted by Mat Harris <ma...@genestate.com>.

On Mon, Feb 16, 2004 at 09:37:04 -0500, Matt Kettler wrote:
> when you run mass check, if ../rules exists, it will use that instead of 
> the global rules.
> 
> Usualy when mass-checking and testing rules, it's convenient to test them 
> in a "non-live" configuration. I generally do my mass checks by unpacking a 
> tarball, and adding my rules to the rules subdir of the tarball.
> 

thanks for the reply,

i will give that a try. I totally understand not testing on a live system, the
number of times i could have saved myself a day :)

thanks

-- 
Cats land on their feet. 
Toast lands jellyside down.
A cat glued to some jelly toast will hover in quantum indecision 
	
perl -e'$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: \
	12m m::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print' 

Yes, of course it's the right cabl [le0: NO CARRIER]

Re: running mass-checl

Posted by Matt Kettler <mk...@comcast.net>.

At 10:11 AM 2/16/04 +0000, Mat Harris wrote:
>Hi,
>   Is there a special procedure for running mass-check with my custom
>rules etc?
>
>I have tried everything (different arguments, hacking source) but it still
>seems to only use rules shipped with the tarball i got mass-check from.

when you run mass check, if ../rules exists, it will use that instead of 
the global rules.

Usualy when mass-checking and testing rules, it's convenient to test them 
in a "non-live" configuration. I generally do my mass checks by unpacking a 
tarball, and adding my rules to the rules subdir of the tarball.

Re: [spa] Re: bad href rule....

Posted by David B Funk <db...@engineering.uiowa.edu>.

On Tue, 17 Feb 2004, Charles Gregory wrote:

>
> (smug look) Gee, I'm getting good at this..... :-)
> You've already got 433 of those in your corpus? They only started
> a couple of days ago.... (shake head)
>
> - Charles
>
> On Tue, 17 Feb 2004, Robert Menschel wrote:
> > Hello Charles,
> > Monday, February 16, 2004, 8:38:10 AM, you wrote:
> >
> > CG> Seeing a  new run of spam with:
> > CG> {a hrefstringhref=http://bogus.url href="http://real.url"}
> >
> > CG> I think they are hoping to fool a primitive scan for 'href=' but it
> > CG> just makes for a really unambiguous spamsign. I'm scoring it high.
> > CG> We'll probably see some variations on this soon, with other things in
> > CG> front of href.....
> >
> > CG> rawbody LOC_HTMLBADHREF  /href[a-z]*href/i
> > CG> describe LOC_HTMLBADHREF href(string)href in link
> > CG> score LOC_HTMLBADHREF    2.5
> >
> > LOC_HTMLBADHREF -- 433s/0h of 100794 corpus (82099s/18695h) 02/16/04
> > Bob Menschel

No, I've been seeing that junk for several weeks now.
I wrote a similar rule that is a little less discriminating but
seems to work for me.

rawbody L_FAKE_HREF     /\w\whref=http:/i
describe L_FAKE_HREF    Faked href to hide spammer URLs
score L_FAKE_HREF       1.7


-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: [spa] Re: bad href rule....

Posted by Charles Gregory <cg...@hwcn.org>.

(smug look) Gee, I'm getting good at this..... :-)
You've already got 433 of those in your corpus? They only started
a couple of days ago.... (shake head) 

- Charles

On Tue, 17 Feb 2004, Robert Menschel wrote:
> Hello Charles,
> Monday, February 16, 2004, 8:38:10 AM, you wrote:
> 
> CG> Seeing a  new run of spam with:
> CG> {a hrefstringhref=http://bogus.url href="http://real.url"}
> 
> CG> I think they are hoping to fool a primitive scan for 'href=' but it
> CG> just makes for a really unambiguous spamsign. I'm scoring it high.
> CG> We'll probably see some variations on this soon, with other things in
> CG> front of href..... 
> 
> CG> rawbody LOC_HTMLBADHREF  /href[a-z]*href/i
> CG> describe LOC_HTMLBADHREF href(string)href in link
> CG> score LOC_HTMLBADHREF    2.5
> 
> LOC_HTMLBADHREF -- 433s/0h of 100794 corpus (82099s/18695h) 02/16/04
> 
> 
> Bob Menschel
> 
> 
>

Re: bad href rule....

Posted by Robert Menschel <Ro...@Menschel.net>.

Hello Charles,

Monday, February 16, 2004, 8:38:10 AM, you wrote:

CG> Seeing a  new run of spam with:
CG> {a hrefstringhref=http://bogus.url href="http://real.url"}

CG> I think they are hoping to fool a primitive scan for 'href=' but it
CG> just makes for a really unambiguous spamsign. I'm scoring it high.
CG> We'll probably see some variations on this soon, with other things in
CG> front of href..... 

CG> rawbody LOC_HTMLBADHREF  /href[a-z]*href/i
CG> describe LOC_HTMLBADHREF href(string)href in link
CG> score LOC_HTMLBADHREF    2.5

LOC_HTMLBADHREF -- 433s/0h of 100794 corpus (82099s/18695h) 02/16/04


Bob Menschel

bad href rule....

Posted by Charles Gregory <cg...@hwcn.org>.

Seeing a  new run of spam with:
{a hrefstringhref=http://bogus.url href="http://real.url"}

I think they are hoping to fool a primitive scan for 'href=' but it
just makes for a really unambiguous spamsign. I'm scoring it high.
We'll probably see some variations on this soon, with other things in
front of href..... 

rawbody LOC_HTMLBADHREF  /href[a-z]*href/i
describe LOC_HTMLBADHREF href(string)href in link
score LOC_HTMLBADHREF    2.5

- Charles