Rules, rules, rules

[Alan Langford <ja...@ambitonline.com>]

Congrats on the 3.0 release everyone. Now all I have to do is wait for my 
ISP to upgrade.

I get about 4,000-5,000 spams per week. Roughly 2,000 of those pass through 
SpamAssassin 2.63. I've got about 1500 of my own regex rules to handle this 
problem (Eudora rocks). After white listing, these rules are pretty 
aggressive and not really useful to anyone else. I'm down to about 50% 
direct-to-trash, 50% probable spam with about 5 false negatives and 1 false 
positive per week.

However, lately more stuff has been getting through. I've developed a rule 
set to handle these that I think might be useful globally. So this post is 
to describe it and to ask if this capability is in 3.0 yet or not.

I'm seeing obfuscation by mis-spelling. Take your average drug name and 
drop in one or two bonus alpha characters, some times they distinguish them 
by case, so that "filter" becomes "filtBer" So now I'm starting to match 
("f.?i.?l.?t.?e.?r" and not "filter") to catch them. If this is in 3.0, 
then I'll start harassing my ISP to upgrade; if not, then I'll start 
entering new rules of my own with the most common spam vocabulary.

Another one that's proving problematic and hard to get with Eudora is 
"random spacing", so I get phrases like "blah blah in ter estr ate blah 
blah blah". Is there a rule that says "ignore whitespace and look for 
phrase X"?

Re: Rules, rules, rules

[Robert Menschel <Ro...@Menschel.net>]

Hello Alan,

Wednesday, September 22, 2004, 10:29:30 AM, you wrote:

AL> Congrats on the 3.0 release everyone. Now all I have to do is wait
AL> for my ISP to upgrade.

Same here.  I've been using it on my personal PC for mass-checks and to
make sure SARE rules were clean and working, but expect it will be
another 2-4 weeks before I get the benefits of 3.0.0 into my mail stream.

AL> However, lately more stuff has been getting through. I've developed a
AL> rule set to handle these that I think might be useful globally. So
AL> this post is to describe it and to ask if this capability is in 3.0
AL> yet or not.   

AL> I'm seeing obfuscation by mis-spelling. Take your average drug name
AL> and drop in one or two bonus alpha characters, some times they
AL> distinguish them by case, so that "filter" becomes "filtBer" ...

Take a look at http://www.rulesemporium.com/other-rules.htm

Jennifer's backhair.cf has been included in 3.0, so you don't want that.
However, her chickenpox.cf and mangled.cf should be helpful for this type
of problem.

She and I are reviewing mangled.cf, and if she likes my ideas, she may
have an update for it in a week or three. If you find any common
obfuscated words that she's missed, send me the examples and I'll forward
them on to her.

Bob Menschel

Re[2]: Rules, rules, rules

[Robert Menschel <Ro...@Menschel.net>]

Hello Felipe,

Wednesday, September 22, 2004, 10:40:08 AM, you wrote:

FT> I've wondering how to make a rule to catch mails with _ in the
FT> name... almost nobody uses _ as a real e-mail adress, at least in
FT> e-mails passed in my server.

Actually, all sorts of people use _ in their email address.  If I blocked
Mitch_Menschel or Janet_Menschel I'd be blocking emails from my father
and wife.

FT> so if i score mails From:
FT> frederick_slateruc@aceranger.worldonline.co.uk i have a big chance to
FT> block a spammer.

FT> Could anyone helpme ... i'd like to score ?_?@?

header    USCORE_IN_NAME  From =~ /_/
describe  USCORE_IN_NAME  Email address contains an underscore
score     USCORE_IN_NAME  0.500

I haven't run this through --lint, but it should work.

Bob Menschel

Re: Rules, rules, rules

[Felipe Tonioli <to...@gmail.com>]

I've wondering how to make a rule to catch mails with _ in the name...
almost nobody uses _ as a real e-mail adress, at least in e-mails
passed in my server.

so if i score mails From:
frederick_slateruc@aceranger.worldonline.co.uk i have a big chance to
block a spammer.

Could anyone helpme ... i'd like to score ?_?@?

tks in advance,
Felipe Tonioli


On Wed, 22 Sep 2004 13:29:30 -0400, Alan Langford <ja...@ambitonline.com> wrote:
> Congrats on the 3.0 release everyone. Now all I have to do is wait for my
> ISP to upgrade.
> 
> I get about 4,000-5,000 spams per week. Roughly 2,000 of those pass through
> SpamAssassin 2.63. I've got about 1500 of my own regex rules to handle this
> problem (Eudora rocks). After white listing, these rules are pretty
> aggressive and not really useful to anyone else. I'm down to about 50%
> direct-to-trash, 50% probable spam with about 5 false negatives and 1 false
> positive per week.
> 
> However, lately more stuff has been getting through. I've developed a rule
> set to handle these that I think might be useful globally. So this post is
> to describe it and to ask if this capability is in 3.0 yet or not.
> 
> I'm seeing obfuscation by mis-spelling. Take your average drug name and
> drop in one or two bonus alpha characters, some times they distinguish them
> by case, so that "filter" becomes "filtBer" So now I'm starting to match
> ("f.?i.?l.?t.?e.?r" and not "filter") to catch them. If this is in 3.0,
> then I'll start harassing my ISP to upgrade; if not, then I'll start
> entering new rules of my own with the most common spam vocabulary.
> 
> Another one that's proving problematic and hard to get with Eudora is
> "random spacing", so I get phrases like "blah blah in ter estr ate blah
> blah blah". Is there a rule that says "ignore whitespace and look for
> phrase X"?
> 
> 



-- 
Felipe Tonioli