Micah Anderson wrote:
Joseph Brennan <[EMAIL PROTECTED]> writes:
/Dear .{0,12}(web ?mail|columbia\.edu)/i
/Password.{0,10}\([\s\.\*\_]+\)/
/you must reply to this email/i
Reply-to =~ /[EMAIL PROTECTED]/
I'm new at writing custom rules, so I am trying to figure out the best
way to do this. Would it be better to make a different rule for each one
of these, or would it be better to bmake a meta-rule? My guess is its
better to make a meta-rule, but that means that each rule must hit in
order to get the larger score, versus some of the individual rules
hitting and adding up to the larger score. The meta-rule seems good
because it describes a full profile phishing email that must be met, but
it seems bad because one tweak of the phish would result in the
meta-rule not matching overall. I suppose this is the point of the
arthemetic meta-rule possibility, however I'm puzzled at the best
mechanism to choose. Any advice would be appreciated.
My thinking is lots of low scoring rules are better than one large
scoring rule. You can however combine the two techniques with metarules
whereby if 3 or more single scoring rules are met a metarule adds an
additional score just for good measure.
Once I figure out the best way to match these, I need a good way to
determine what I should score these, the rule-writing documentation
suggests starting at 0.1 and then moving it up as you test it, and
suggests extreme caution scoring a custom rule over 1, however it seems
like these would be better scored higher than that.
That depends on how specific your rules are. Try to write rules for
phrases rather than single words. If the phish are specific to you then
it shouldn't be too difficult to write rules to specifically catch them.
If/when the phishers tweak the phish then you'll need to tweak your rules.
Look at the emails with an analytical eye - what giveaway signs tell you
that they are spam? Then try to write rules to detect what you see.
The first of course is partly local to us. Another useful local rule
is to check for the uri of your own webmail.
Yeah, i'll make a uri rule for that and probably add that to the
meta-rule.
Thanks for any advice,
micah
