> -----Original Message----- > From: Robert Menschel [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 05, 2003 12:45 AM > To: [EMAIL PROTECTED] > Subject: [SAtalk] [RD] Rule Philosophy > > > I had a spam just slip through (only one so far this week), > strictly HTML > with graphics in a table (only text: "**"), bayes rating 50%, > initial SA > score 5.8 of a required 9. > > uri L_u_time4more /time4more\.net/i > describe L_u_time4more Body text references known spammer > score L_u_time4more 9.00 # graphics-only spam Aug 4 03 > > There were five graphics in the HTML. Each was linked to > www.time4more.net/link/something -- To me this is proof absolute that > time4more.net is the source of the spam, and it earns my top > spam rating > (equal to my required hits). >
THis is exactly what MY_EVIL does and works great. My tips page talks about how you should mark these as Temp_My_EVIL, as they will eventually expire. For those who may not see it, these are not the sender of the spam domains, but the domain of the image hosts, often owned by spammers. Therefore it is ever changing like a RBL. So submissions of these to the Rule Emporium would be tooo lengthy. You would almost have to have an RBL for the rule :) This type of rule can also be combined with others. There is almost no chance of timeformore.net showing up in a code at the same time as tastemysalad.com, so it is easier to combine. > So a subject which references WP Office seems to be a valid > suggestion of > spam, but with such a small sample (only two hits), I keep the score > at/under 0.5 (approx 10% of my required hits). Yeah, I have the norton system works rule like this. If you don't use WP office, then by all means make a rule. But an ISP would shy away from this one. > > header L_s_LastChance Subject =~ /LAST\ CHANCE/i > describe L_s_LastChance Subject claims it is the last > chance for something > score L_z_LastChance 0.1 # more ham than spam as of > Aug 4, 2003 > This is your last chance to fix the spam, or you fired! :-) > mention a last chance. Therefore, though I think it's worth > having a rule > for this, I most definitely want to keep the score at a minimum. > > header L_hr_lattelekom Received =~ /lattelekom\.net/ > describe L_hr_lattelekom Spam passed through lattelekom.net relay > score L_hr_lattelekom 0.1 # 1 spam, Aug 4, 2003 > > The spam passed through mx.lattelekom.net just before > reaching my server. > This appears to be an ISP of some kind in Latvia, if I read things > correctly. Scanning for lattelekom.net, this spam is the only hit. Hmmm.....this is interesting. This would help me greatly if I listed IPs. My blocked IPaccess list has stopped a few legit emails that I've had to fix. However if I had SA read in that list and simply score some points for matches, it would be less apinful on FPs. This comes down to the same problem of SA and my lack of perl. Having SA function that reads a text file and looks for matches in the email. Such as a list of domains or IPs. There was mention that 2.6 might have some sort of eval like this. That would be sweet. I think your method has some potential. But most of the spam I see fake the domain names and come right from an open relay. Just my opinions, Chris Santerre System Admin and SA Custom Rules Emporium keeper http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm "A little nonsense now and then, is relished by the wisest men." - Willy Wonka ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
