On Sunday 15 June 2008 12:03 pm, John Hardin wrote: > Folks: > > I tried posting this to [EMAIL PROTECTED] but it bounced... > > I'm seeing recent 419 spams (e.g. the ATM Card variant) making it > through SA lately. It hits BAYES_99, but no SARE rules. > > Are these rules defunct? > > Suggestion: grabbing Justin Mason's SOUGHT tools and using them against > a 419-specific corpus might be a really good way to keep the fraud > ruleset current without a lot of manual effort...
John, I assume you're talking about spam with a subject such as: (RE:YOUR ATM-211 CARD UPDATE!!) On my box here these rules are hit, though not ClamAv this time, most times it is. Content analysis details: (20.8 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.9 TVD_RCVD_IP TVD_RCVD_IP 3.2 TVD_RCVD_IP4 TVD_RCVD_IP4 1.0 RELAY_NG Relayed through Nigeria 2.1 SUBJ_ALL_CAPS Subject is all capitals 2.1 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO 1.3 MISSING_HEADERS Missing To: header 1.9 BILLION_DOLLARS BODY: Talks about lots of money 0.6 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN) 0.0 HTML_MESSAGE BODY: HTML included in message 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5103] 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts -0.0 DCC_CHECK_NEGATIVE Not listed in DCC [cpollock 1113; Body=1 Fuz1=1 Fuz2=1] 1.7 SARE_FRAUD_X3 Matches 3+ phrases commonly used in fraud spam 1.7 SARE_FRAUD_X4 Matches 4+ phrases commonly used in fraud spam 1.0 SAGREY Adds 1.0 to spam from first-time senders Notice SARE rules were in fact hit. -- Chris KeyID 0xE372A7DA98E6705C
pgpL8OiDo0ubU.pgp
Description: PGP signature
