Here are some rules you can add to your /etc/mail/spamassassin/local.cf
file to catch a few of the things you mentioned here and how to create
new rules.
If you have an old spam folder, it is easy to test your expressions to
see how they work. Your word list, I just stuck them together and
tested them on my Feb 2002 spam folder (about 1500 spams in it). Do it
without the wc -l to see the actual matches, and escape the special
characters like $, (, and ! with backslashes.
Lots of hits for this one, but also tons of false positives. You will
have to decide if it is worth it for you. Looking at my mail, I don't
think I would use this rule, the way it is written here.
[nice@mothlight mail]$ grep -i -E "(BulkMailing|potential
earning|profit|make money|free|hesistate|act within|order now|credit
card|expiration date|now only \$)" 2002Febspam |wc -l
3279
[nice@mothlight mail]$ grep -i -E "(BulkMailing|potential
earning|profit|make money|free|hesistate|act within|order now|credit
card|expiration date|now only \$)" /var/spool/mail/nice sent-mail
personal personal-sent journals | wc -l
3214
But, you can just cut and paste this into your local.cf file and then
run an email though to test it with
spamassassin -t < one.test.email.txt
Use the i in the rule if you want it to be case insensitive. If you are
using spamd, you have to restart it to have the new rules take effect.
rawbody PROFIT_WORDS /(BulkMailing|potential earning|profit|make
money|free|hesistate|act within|order now|credit card|expiration
date|now only \$)/i
describe PROFIT_WORDS Lots of profity spammy words
score PROFIT_WORDS 1.0
So next rule, pretty good count on this one. I added this one to my
personal local.cf.
[nice@mothlight mail]$ grep "Subject:" 2002Febspam | grep -E "\\$"|wc -l
37
[nice@mothlight mail]$ grep -E "^Subject:" /var/spool/mail/nice
sent-mail personal personal-sent journals | grep -E "\\$"|wc -l
0
[nice@mothlight mail]$
And the rule:
header SUBJ_HAS_DOLLAR_SIGN Subject =~ /\$/
describe SUBJ_HAS_DOLLAR_SIGN Subject has a dollar sign
score SUBJ_HAS_DOLLAR_SIGN 1.0
I threw this one in for fun:
header SUBJ_HAS_2_DOLLAR_SIGNS Subject =~ /\$\$/
describe SUBJ_HAS_2_DOLLAR_SIGNS Subject has two or more dollar signs
score SUBJ_HAS_2_DOLLAR_SIGNS 2.0
Not a huge amount of hits for this one, but maybe it would be worthwhile:
[nice@mothlight mail]$ grep "X-Mailer:" 2002Febspam | grep -E "The
Bat\! \(v1.52f\) Business"|wc -l
8
[nice@mothlight mail]$ grep "X-Mailer:" /var/spool/mail/nice sent-mail
personal personal-sent journals | grep -E "The Bat\! \(v1.52f\)
Business"|wc -l
0
[nice@mothlight mail]$
header BAT_XMAILER X-Mailer =~ /The Bat\! \(v1.52f\) Business/
describe BAT_XMAILER X-Mailer is the Bat
score BAT_XMAILER 1.0
Hope this helps.
Kerry.
Toni Willberg wrote:
> --=-BzQMvulOZXCgoe1ejhp1
> Content-Type: text/plain
> Content-Transfer-Encoding: 7bit
>
> Hi.
>
> I'm not (yet) familiar with creating new scoring rules, but I'll try to
> help anyway.
>
> Attached spam is good example of spam I get which is scrored under 5.0
> by SpamAssassin. Spammer is trying to sell CD's of bulk email addresses
> to spammers. :)
>
>
> Following scoring rules would have helped catch this spam. I hope
> someone familiar with rules would produce working SA rules from these.
>
> Some of my suggestions are perhaps already implemented, but atleast my
> installation of SA (v2.11) did not catch any of these rules.
>
> X-Spam-Status: No, hits=2.9 required=5.0
> tests=NO_REAL_NAME,FROM_ENDS_IN_NUMS,RCVD_IN_ORBZ version=2.11
>
>
>
> My suggestions follows, someone add good scores for them:
>
>
> Subject contains: "$"
> Subject has over 50% alphabetical characters UPPERCASE
> Header contains: X-Mailer: The Bat! (v1.52f) Business
> Body has lines which contain over 50% alphabetical characters UPPERCASE
> Body contains any of these:
> BulkMailing
> potential earning
> profit
> make money
> free
> hesistate
> act within
> order now
> credit card
> expiration date
> now only $
>
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
