You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by AJ Weber <aw...@comcast.net> on 2012/01/06 15:10:28 UTC
rule to test "body" length?
Is there a way to check if the body of an email is less than some threshold
(length of chars)? I'm seeing some spam slip through because it's purposely
too short to hit a lot of rules, and too short for DCC and other networked
systems to get a "fingerprint" on.
For example:
Any body where len < 50, score...
Would it be something like /.{1,50}/ ???
Thanks,
-AJ
--
View this message in context: http://old.nabble.com/rule-to-test-%22body%22-length--tp33092865p33092865.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: rule to test "body" length?
Posted by John Hardin <jh...@impsec.org>.
On Sun, 8 Jan 2012, AJ Weber wrote:
> John Hardin wrote:
>
>> The thread subject is "Short body rules" on 11/25/2011
>
> Thanks for the pointer. Using the "Old Nabble1" website, there are ZERO
> threads/emails archived for 11/25/11. :(
>
> When I get some time, I'll see where the other archives are for this list
> and search there. Thanks again.
The thread:
http://www.gossamer-threads.com/lists/spamassassin/users/169091
To summarize:
rawbody __RB_LE_200 /^.{2,200}$/s
tflags __RB_LE_200 multiple maxhits=2
rawbody __RB_GT_200 /^.{201}/s
meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200
Adjust the 200s to your desired limit.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You know things are bad when Pravda says we [the USA] have gone
too far to the left. -- Joe Huffman
-----------------------------------------------------------------------
9 days until Benjamin Franklin's 306th Birthday
Re: rule to test "body" length?
Posted by AJ Weber <aw...@comcast.net>.
John Hardin wrote:
>
> The thread subject is "Short body rules" on 11/25/2011
>
Thanks for the pointer. Using the "Old Nabble1" website, there are ZERO
threads/emails archived for 11/25/11. :(
When I get some time, I'll see where the other archives are for this list
and search there. Thanks again.
--
View this message in context: http://old.nabble.com/rule-to-test-%22body%22-length--tp33092865p33104565.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: rule to test "body" length?
Posted by John Hardin <jh...@impsec.org>.
On Fri, 6 Jan 2012, AJ Weber wrote:
> Didn't find it, but I'll keep looking.
The thread subject is "Short body rules" on 11/25/2011
> While searching, I noticed you had some updated chickenpox rules, but I
> didn't see them in your sandbox (at least from the link I looked at).
They aren't updated. The intent was to get stats on them via masscheck to
see how good (or bad) they really are these days.
> I know this is a tangent, but could you direct me to that rule-set? I
> have the one from the SA wiki, but it doesn't seem "enough".
If you have that I'm pretty sure you have what I have.
I need to take another look, that mini-project may have gotten "buried on
my desk" (...like, I got permission to upload them but never actually did
so...)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim XXIX: The enemy of my enemy is my enemy's enemy. No more.
No less.
-----------------------------------------------------------------------
11 days until Benjamin Franklin's 306th Birthday
Re: rule to test "body" length?
Posted by AJ Weber <aw...@comcast.net>.
> Please don't top-post.
Sorry. Even though I subscribed, and sent the "confirmation" email, I still
don't get any of the messages in my email, so I'm posting via the "Old
Nabble" web form. That doesn't allow me to automate indenting/quoting
previous messages, so I will manually put >'s in front of all the lines if
you want.
>Body tests are run per paragraph, so you would need one of then to
>have 100 chars.
Wow. I would've thought I would have run across this info in all the
searching I've done about rules and custom rules. Good to know, thanks.
>Also they are just run on just the text that the reader
>would see, if that matters to you. If you are intending to give this a
>significant score, then it seems a bit reckless to me. Do you never
>receive terse emails?
I sometimes receive terse emails, but very rarely to the accounts I'm trying
to protect with SA. Since no spam filter is 100%, this just seems to be a
rule that I could use, with an appropriate score.
>If you are new to SA I would suggest you start with making sure that
>Bayes is properly trained, and you have have the infrastructure to
>keep it trained without much effort. Razor DCC etc are fairly minor
>components compared to BAYES.
I can train Bayes, but keeping it trained might be a bit of effort for the
install size I'm dealing with (small). Since this is a combination of work-
and non-work mailboxes, the breadth of email types that the users would
consider ham is probably not going to make Bayes training very accurate, but
I would love to be wrong.
Thanks for the reply.
--
View this message in context: http://old.nabble.com/rule-to-test-%22body%22-length--tp33092865p33104550.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: rule to test "body" length?
Posted by RW <rw...@googlemail.com>.
On Fri, 6 Jan 2012 07:52:29 -0800 (PST)
AJ Weber wrote:
> BTW: To expound upon my previous "guess" at matching short messages,
> what's wrong with:
> body MY_TOO_SHORT /^.{1,100}$/
>
> (Which I mean to check for a message where the length is < 100 chars)
Please don't top-post.
Body tests are run per paragraph, so you would need one of then to
have 100 chars. Also they are just run on just the text that the reader
would see, if that matters to you. If you are intending to give this a
significant score, then it seems a bit reckless to me. Do you never
receive terse emails?
If you are new to SA I would suggest you start with making sure that
Bayes is properly trained, and you have have the infrastructure to
keep it trained without much effort. Razor DCC etc are fairly minor
components compared to BAYES.
Re: rule to test "body" length?
Posted by AJ Weber <aw...@comcast.net>.
BTW: To expound upon my previous "guess" at matching short messages, what's
wrong with:
body MY_TOO_SHORT /^.{1,100}$/
(Which I mean to check for a message where the length is < 100 chars)
AJ Weber wrote:
>
> Didn't find it, but I'll keep looking. While searching, I noticed you had
> some updated chickenpox rules, but I didn't see them in your sandbox (at
> least from the link I looked at). I know this is a tangent, but could you
> direct me to that rule-set? I have the one from the SA wiki, but it
> doesn't seem "enough".
>
> Thanks for the reply,
> AJ
>
>
> John Hardin wrote:
>>
>> On Fri, 6 Jan 2012, AJ Weber wrote:
>>
>>> Is there a way to check if the body of an email is less than some
>>> threshold
>>> (length of chars)?
>>
>> Check the archives. This came up a month or two ago and I suggested a
>> rule
>> set to detect a short body. Karsten then suggested a minor refinement.
>>
>> You can't do it in a single rule.
>>
>> --
>> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
>> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
>> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
>> -----------------------------------------------------------------------
>> Windows Genuine Advantage (WGA) means that now you use your
>> computer at the sufferance of Microsoft Corporation. They can
>> kill it remotely without your consent at any time for any reason;
>> it also shuts down in sympathy when the servers at Microsoft crash.
>> -----------------------------------------------------------------------
>> 11 days until Benjamin Franklin's 306th Birthday
>>
>>
>
>
--
View this message in context: http://old.nabble.com/rule-to-test-%22body%22-length--tp33092865p33093814.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: rule to test "body" length?
Posted by AJ Weber <aw...@comcast.net>.
Didn't find it, but I'll keep looking. While searching, I noticed you had
some updated chickenpox rules, but I didn't see them in your sandbox (at
least from the link I looked at). I know this is a tangent, but could you
direct me to that rule-set? I have the one from the SA wiki, but it doesn't
seem "enough".
Thanks for the reply,
AJ
John Hardin wrote:
>
> On Fri, 6 Jan 2012, AJ Weber wrote:
>
>> Is there a way to check if the body of an email is less than some
>> threshold
>> (length of chars)?
>
> Check the archives. This came up a month or two ago and I suggested a rule
> set to detect a short body. Karsten then suggested a minor refinement.
>
> You can't do it in a single rule.
>
> --
> John Hardin KA7OHZ http://www.impsec.org/~jhardin/
> jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
> key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
> Windows Genuine Advantage (WGA) means that now you use your
> computer at the sufferance of Microsoft Corporation. They can
> kill it remotely without your consent at any time for any reason;
> it also shuts down in sympathy when the servers at Microsoft crash.
> -----------------------------------------------------------------------
> 11 days until Benjamin Franklin's 306th Birthday
>
>
--
View this message in context: http://old.nabble.com/rule-to-test-%22body%22-length--tp33092865p33093677.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: rule to test "body" length?
Posted by John Hardin <jh...@impsec.org>.
On Fri, 6 Jan 2012, AJ Weber wrote:
> Is there a way to check if the body of an email is less than some threshold
> (length of chars)?
Check the archives. This came up a month or two ago and I suggested a rule
set to detect a short body. Karsten then suggested a minor refinement.
You can't do it in a single rule.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Windows Genuine Advantage (WGA) means that now you use your
computer at the sufferance of Microsoft Corporation. They can
kill it remotely without your consent at any time for any reason;
it also shuts down in sympathy when the servers at Microsoft crash.
-----------------------------------------------------------------------
11 days until Benjamin Franklin's 306th Birthday