[SAtalk] idea: Rules about other rules

Sun, 24 Mar 2002 16:36:14 -0800 

I got the idea of creating rules that would be triggered depending upon what 
other rules had already been triggered, so that you could combine different 
tests for greater accuracy.  For instance, the rule US_DOLLARS is described 
as a "Nigerian scam key phrase", but it's separate from the NIGERIAN_SCAM 
rules; the different rules simply add up if both of them are present.  But if 
there a rule like:

    meta NIGERIAN_META    (NIGERIAN_SCAM || NIGERIAN_SCAM_2) && US_DOLLARS

So then you could shift points from the base rules to the meta rule, thus 
hopefully reducing false positives.

To make it easier to specify sets of base rules, regexps could be used.  So, 
for example, to make a meta rule for a porn URI plus any of the other porn 
rules:

    meta PORN_META    PORN_4 && PORN_[^4].*

Although it would probably just be easier to set up a series of meta rules, 
performed in alphabetical order:

    meta A_PORN_META (PORN_1 || PORN_2 || PORN_3 || PORN_5 || ...)
    meta B_PORN_META  PORN_4 && A_PORN_META

Another meta-rules idea is to have meta-rules about the number of ordinary 
positive-scored rules that have been triggered by a mail.    Out of my 
collection of 310 spam messages, only 10 of them triggered less than 4 rules 
(both positive and negative rules, I haven't taken the time to sort them 
out).  We could subtract a small amount from the score if only 2, 3 or 4 
positive-scored rules were triggered, to try to reduce false positives; 
sysadmins could manually increase the amount subtracted to generate less 
false positives.  Also, since a spam that triggered only 5 or 6 rules with 
less than 1.0 scores could sneak in under the threshold, we could slightly 
increase the scores of messages with that many rules triggered.

Finally, a more risky idea: score multipliers.  For instance, since rules 
like SECTION_301 and BILL_1618 almost never appear outside of spam, we could 
multiply the whole score by 1.1 if they are present.  I'm not so sure if this 
is a good idea.

-- 
Visit http://dmoz.org, the world's   | Give a man a match, and he'll be warm
largest human edited web directory.  | for a minute, but set him on fire, and
                                     | he'll be warm for the rest of his life.
[EMAIL PROTECTED]  ICQ: 132152059 |

_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to