On Tue, 13 Aug 2019, James Wilkinson wrote:
Hello all you happy people,
While debugging a FP on ADVANCE_FEE_3_NEW, I noticed that it included
body __FRAUD_JBU /\bforeign account\b/i
and
body __FRAUD_TCC /foreign (?:offshore )?(?:bank|account)/i
The _NEW rules don't reference __FRAUD_JBU, so the double-scoring isn't an
issue for them. The older rules do reference both, but they are commented
out because the _NEW rules replace them.
Unless those subrules are used separately in two different scored rules,
they don't double-score the message. Something like this won't hit twice:
meta FNORD __FRAUD_JBU || __FRAUD_TCC
The only place I see __FRAUD_JBU being used in all of the base rules is in
the commented-out old ADVANCE_FEE rules. This suggests if that *is* the
source of your FP, it's being used in a local rule.
https://svn.apache.org/repos/asf/spamassassin/trunk/rules/20_advance_fee.cf
is the file in SVN trunk.
The current rules are in
../svn/trunk/rulesrc/sandbox/jhardin/20_advance_fee_reevolved.cf
meta __ADVANCE_FEE_3_NEW (__AFRICAN_STATE + __ATM_CARD +
__BACK_SCRATCH + __CONTACT_YOU + __COURIER + __DEAD_PARENT + __DEAL +
DEAR_BENEFICIARY + DEAR_WINNER + __DECEASED + __DESTROY_ME + __DIPLOMATIC
+ __DORMANT_ACCT + __EARLY_DEMISE + __EX_CUSTOMER + __FOUND_YOU +
__FRAUD_AON + __FRAUD_AUM + __FRAUD_AXF + __FRAUD_BEP + __FRAUD_BGP +
__FRAUD_CKF + __FRAUD_DPR + __FRAUD_FVU + __FRAUD_GBW + __FRAUD_IPK +
__FRAUD_IRT + __FRAUD_JNB + __FRAUD_JYG + __FRAUD_MCQ + __FRAUD_MLY +
__FRAUD_MQO + __FRAUD_NEB + __FRAUD_QFY + __FRAUD_QXX + __FRAUD_SNT +
__FRAUD_ULK + __FRAUD_UOQ + __FRAUD_VQE + __FRAUD_WDR + __FRAUD_WFC +
__FRAUD_XJR + __FRAUD_XWW + __FRAUD_YPO + __FRAUD_YQV + __I_INHERIT +
__INTL_BANK + __INVEST_MONEY + __IS_LEGAL + __I_WILL_YOU + __KAM_LOTTO2 +
LOTTO_AGENT + LOTTO_AGENT_RPLY + __LOTTO_DEPT + __LOTTO_RELATED +
LOTTO_URI + __LOTTO_WIN_01 + __LOTTO_WINNINGS + __LUCKY_WINNER +
__NEXT_OF_KIN + __NOT_DEAD_YET + __PCT_OF_PMTS + __SCAM + __SHARE_IT +
__THEY_INHERIT + UNCLAIMED_MONEY + __WIDOW + __WILL_LEGAL + __XFER_MONEY
+ __YOU_ASSIST + __YOU_INHERIT + __YOUR_FUND + __YOUR_PERM + __YOU_WON >
2) && !__THREAD_INDEX_GOOD
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
2 days until the 74th anniversary of the end of World War II
