(I learned about this yesterday and have it going; very nice.)
Today I got a false positive which included among other things:
SPAM: Hit! (2.29 points) Cc: contains similar usernames at least 10 times
SPAM: Hit! (1.47 points) To: contains similar usernames at least 10 times
neither of which was correct, but also:
SPAM: Hit! (0.47 points) Cc: contains similar domains at least 10 times
which was correct. Specifically, this message had 15 different To: addresses
in different *.sun.com domains (the most had 8), and 15 different Cc:
addresses in different *.sun.com domain (the most had 12). But the local
parts in both the To: and Cc: headers were completely different. I ran some
tests and determined that the regular expressions for VERY_SUSP_[CC_]RECIPS
/\b([a-z][a-z])[^@]{0,20}(@[-a-z0-9_\.]{0,30}).{0,30}?(?:\1[^@]*\2.{0,20}?){9,}/is
would trigger false positives on
a@domain, b@domain, ..., k@domain
i.e., 11 (not 10) of the same domain would trigger this regardless of the
local parts. Well, the SUSPICIOUS_[CC_]RECIPS macros seemed good, so I
tweaked them into:
header VERY_SUSP_RECIPS To =~ /([a-z0-9-_]{1,}@).*(?:\1.*){9,}/is
header VERY_SUSP_CC_RECIPS Cc =~ /([a-z0-9-_]{1,}@).*(?:\1.*){9,}/is
and now all seems fine. Being new to this group, I'm not sure if I need
to do anything else to get this fix in; please let me know if there is
some FM which I should go R.
-- John Beck, Solaris Internet Engineering
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
