You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by CharlesLai <ch...@gmail.com> on 2007/08/09 18:31:41 UTC
Help with SA body rule with *.info in body
Could someone help me with a SA body rule that would catch the email below?
These are the only ones consistently getting past SA, and they always have
an email address with a .info domain. I’d like the rule to catch any message
with an *@*.info domain since we have no one legitimate that we can think of
that would use a .info domain or email address. I know there are some legit
.info domains out there, but the vast majority are spammers.
--------
Hello! I am bored this evening. I am nice girl that would like to chat with
you. Email me at k@mailmessagecenter.info only, because I am writing not
from my personal email. If you would like to see some of my pictures.
Sincerely,
Charles Lai
--
View this message in context: http://www.nabble.com/Help-with-SA-body-rule-with-*.info-in-body-tf4243639.html#a12075756
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Help with SA body rule with *.info in body
Posted by Jari Fredriksson <ja...@iki.fi>.
> Could someone help me with a SA body rule that would
> catch the email below? These are the only ones
> consistently getting past SA, and they always have an
> email address with a .info domain. I’d like the rule to
> catch any message with an *@*.info domain since we have
> no one legitimate that we can think of that would use a
> .info domain or email address. I know there are some
> legit .info domains out there, but the vast majority are
> spammers.
>
> --------
>
> Hello! I am bored this evening. I am nice girl that would
> like to chat with you. Email me at
> k@mailmessagecenter.info only, because I am writing not
> from my personal email. If you would like to see some of
> my pictures.
>
> Sincerely,
>
> Charles Lai
I copy & pasted that snippet (no headers, only data) to spamassassin, and this is what I got:
Content analysis details: (10.6 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 0.9987]
0.0 MISSING_MID Missing Message-Id: header
0.0 MISSING_DATE Missing Date: header
-0.0 NO_RELAYS Informational: message was not relayed via SMTP
2.5 MISSING_HB_SEP Missing blank line between message header and body
1.3 MISSING_HEADERS Missing To: header
1.8 MISSING_SUBJECT Missing Subject: header
-0.0 NO_RECEIVED Informational: message has no Received headers
0.0 NO_HEADERS_MESSAGE Message appears to be missing most RFC-822 headers
Ok, most rules just because there was no headers. But the point is that BAYES_99 was triggered!
If you trust your bayes training, just tune it up to 5.0.
Re: Help with SA body rule with *.info in body
Posted by wolfgang <me...@gmx.net>.
In an older episode (Friday, 10. August 2007), John D. Hardin wrote:
> > uri LOCAL_EMAILDOTINFO /\@\S{1,50}\.info$/
>
> "uri" also picks up bare email addresses in the message body?
It does it here when I run SA on an mbox file with only Charles' mail in
it.
>
> Or does that only work with mailto: URIs?
There is no /mailto:\S+\.info/ in that mbox file, the only mailto's are
way up in the list headers ...
Regards,
wolfgang
>
> > Correct me if I am wrong, experts.
>
> Shirly you have a rules testbed set up so that you could test it and
> see? :)
>
> --
> John Hardin KA7OHZ
> http://www.impsec.org/~jhardin/ jhardin@impsec.org FALaholic
> #11174 pgpk -a jhardin@impsec.org key: 0xB8732E79 -- 2D8C 34F4
> 6411 F507 136C AF76 D822 E6E6 B873 2E79
> ---------------------------------------------------------------------
>-- Gun Control: The theory that a woman found dead in an alley, raped
> and strangled with her panty hose, is somehow morally superior to a
> woman explaining to police how her attacker got that fatal bullet
> wound. -- L. Neil Smith
> ---------------------------------------------------------------------
>-- 6 days until The 62nd anniversary of the end of World War II
Re: Help with SA body rule with *.info in body
Posted by "John D. Hardin" <jh...@impsec.org>.
On Fri, 10 Aug 2007, wolfgang wrote:
> To catch an email address in an *.info domain, try this rule:
>
> uri LOCAL_EMAILDOTINFO /\@\S{1,50}\.info$/
"uri" also picks up bare email addresses in the message body?
Or does that only work with mailto: URIs?
> Correct me if I am wrong, experts.
Shirly you have a rules testbed set up so that you could test it and
see? :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Gun Control: The theory that a woman found dead in an alley, raped
and strangled with her panty hose, is somehow morally superior to
a woman explaining to police how her attacker got that fatal bullet
wound. -- L. Neil Smith
-----------------------------------------------------------------------
6 days until The 62nd anniversary of the end of World War II
Re: Help with SA body rule with *.info in body
Posted by wolfgang <me...@gmx.net>.
To catch an email address in an *.info domain, try this rule:
uri LOCAL_EMAILDOTINFO /\@\S{1,50}\.info$/
Afaik, using uri instead of body has the advantage that it will only
parse URIs, not the entire body ... thus info is anchored at the end of
the regex.
Correct me if I am wrong, experts.
Regards,
wolfgang