Re: Local rules math problem

Sun, 03 May 2009 06:33:41 -0700 

Micah Anderson a écrit :
> I've got a couple custom meta rules, that don't seem to be applying how
> I expected them to.
> 
> When I run a message that should hit on these rules I get:
> 
> [14109] dbg: rules: ran one_line_body rule __LOCAL_PHISHER_USERNAME ======> 
> got hit: "Username:"
> [14109] dbg: rules: ran one_line_body rule __LOCAL_PHISHER_PASSWORD ======> 
> got hit: "Password:"
> [14109] dbg: rules: ran header rule __LOCAL_REPLYTO_NOTUS ======> got hit: 
> "negative match"
> 
> Which results in the rule: LOCAL_PHISH_FROMREPLY getting set with score
> 0.1, which is great, that is what I expect. However there is a rule that
> builds on that which doesn't fire, specifically the
> LOCAL_PHISHER_USERPASS rule which does the math to add the
> LOCAL_PHISH_FROM_REPLY to the __LOCAL_PHISHER_PASSWORD and
> __LOCAL_PHISHER_USERNAME to get over a score of 1, but even though those
> rules fire, the math addition doesn't seem to get over 1 and thus the
> meta rule doesn't fire...
> 
> what am I missing here?
> 
> body __LOCAL_PHISHER_PASSWORD           /Password(.{0,10}\([\s\.\*\_]+\)|( 
> .{0,4})?:)/i
> 
> header __LOCAL_RETURN_PATH_ISUS         Return-Path =~ /\...@ourdomain\.net/
> header __LOCAL_FROM_ISUS                From =~ /\...@ourdomain\.net/
> header __LOCAL_REPLYTO_EXISTS           exists:Reply-To
> header __LOCAL_REPLYTO_NOTUS            Reply-to !~ /\...@ourdomain\.net/
> meta LOCAL_PHISH_FROMREPLY            (( __LOCAL_RETURN_PATH_ISUS || 
> __LOCAL_FROM_ISUS ) && ( __LOCAL_REPLYTO_EXISTS && __LOCAL_REPLYTO_NOTUS ))
> score LOCAL_PHISH_FROMREPLY             0.1
> 
> body __LOCAL_PHISHER_USERNAME           
> /User(\s)?(n|N)ame(.{0,10}\([\s\.\*\_]+\)|( .{0,4})?:)/i
> meta LOCAL_PHISHER_USERPASS             ((( 0.2 * __LOCAL_PHISHER_USERNAME ) 
> + ( 0.4 * __LOCAL_PHISHER_PASSWORD ) + ( 0.4 * LOCAL_PHISH_FROMREPLY)) > 1)

I don't see the score for __LOCAL_PHISHER_USERNAME and
__LOCAL_PHISHER_PASSWORD. so all I see is
        0.4 * LOCAL_PHISH_FROMREPLY = 0.4 * 0.1 = 0.01
which is ridiculously small compared to 1.

Anyway, why are you using SA as a basic calculator? use a "logical" meta
instead.


> describe LOCAL_PHISHER_USERPASS         Typical phish: asks for username and 
> password, we dont do that
> score LOCAL_PHISHER_USERPASS            10.5
>

Reply via email to