uri L_u_time4more /time4more\.net/i describe L_u_time4more Body text references known spammer score L_u_time4more 9.00 # graphics-only spam Aug 4 03
Personaly, I tend to not go over 4.0, even on a sure-fire spam rule. This is mostly as a result of accepting the general spamassassin philosophy that any single rule shouldn't be enough. (with the exception of things like GTUBE)
Admittedly this isn't very likely to false positive, however rather than creating one rule worth 9, if at all possible I tend to create a handful of rules for the same spam which total 6-9.
I would also try improve the rule by framing it with \b's, or at least starting it with one.
/\btime4more\.net\b/
/b is a match on a transition from ordinary "word characters" to a non-word character, like punctuation, spaces, end of lines, etc. It basically forces something to be there that's not alphanumeric or an underscore. So the \b's above would keep it from matching "thetime4more.networks". Not that that's a sensible string, but there might be some super-string that's nonspam related so it doesn't hurt to be over-cautious on a high scoring rule.
(equal to my required hits).
Note that I do scan my corpus anyway, and I find it hits a total of 7 spam, July 24 to today's, and no non-spam. This just happened to be the first from that source that snuck through SA's rules.
header L_s_CorelWPOffice Subject =~ /(?:Corel|WordPerfect).{1,15}Office/i describe L_s_CorelWPOffice Subject apparently mentions software for sale score L_s_CorelWPOffice 0.4 # 2 spam, 0 ham, as of Aug 4, 2003
More \b action, on general principle, although not strictly needed. It makes more sense, particularly given that you wouldn't want to match "Corel's main office". Admittedly that wouldn't likely be in a subject, but it's bad form to forget your \b's and in the case of body rules that can cause some messy false positives.
header L_s_CorelWPOffice Subject =~ /\b(?:Corel|WordPerfect)\b.{1,15}Office\b/i
You could also change the range to {0,15} and add a \b before Office.
(note that \b.{0,15}\b can correctly match a single space character, because \b is a zero-width assertion.)
header L_s_LastChance Subject =~ /LAST\ CHANCE/i describe L_s_LastChance Subject claims it is the last chance for something score L_z_LastChance 0.1 # more ham than spam as of Aug 4, 2003
More \b's, change the caps to make it clearer this rule isn't an "all caps only" rule, and ditch the useless \ in the middle:
header L_s_LastChance Subject =~ /\bLast Chance\b/i
header L_hr_lattelekom Received =~ /lattelekom\.net/ describe L_hr_lattelekom Spam passed through lattelekom.net relay score L_hr_lattelekom 0.1 # 1 spam, Aug 4, 2003
Seems fine, although a bit of a duplication of effort with DNSBL's.. have you enabled them?
Which of my actions would you agree with, and which would you disagree with? And more importantly, why?
See above.
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
