Owen B. Mehegan wrote:
>Lately a lot of 419 and investment spams have been getting through
>with very low SA scores. Can anyone take a look at these and see
>if there's another ruleset I should use to trap them?
Owen, particularly with 419/scam spams, it's VERY helpful if you
tell us more about your ham ecology.
It would also be helpful if you told us about your FP pipeline.
For example: Do you have a corpus? Can you easily analyze
individual SA hits on ham, over an extended period?
The better your pipeline, the more aggressive you can be.
If you have a deep understanding of your own ham ecology
(based on analyzing data over multiple years), you can make
informed decisions as to how to slant your tests.
>From your use of Nabble, I infer you are a small domain, with
mostly/completely non-arms-length users. From your domain name,
I infer your userbase consists partly (perhaps completely) of
Nerds. :)
If those inferences are correct, here's some things that should
help:
1. raise the score for "SUBJ_ALL_CAPS" and some scammy tests
2. use a "FreeMail" plugin
3. use a country of origin/route plugin
#1 is low-risk in a "pure Nerd" ham environment. In Nerd/Geek ham,
it hits most often on forwarded chain letters, and other crud, so
even if it FPs, it's minimal "harm".
You might also want to tweak all the AdvanceFee/scam SA tests,
including "ADVANCE_FEE_[n]", "DEAR_FRIEND", "MILLION_USD",
"US_DOLLARS_[n]". Of those, the first two occur occasionally in
ham, but usually it's of low loss/FP value.
#2 should hit on about half of your samples (I'm using a different
implementation, so can't verify the exact performance - perhaps
someone with the SA plugin can run your samples and report?).
Note that your middle scoring samples ALL should hit the FreeMail
plugin.
#3 is somewhat controversial, and if implemented must be done
VERY carefully.
I hope we can all agree that scoring West Africa, particularly in
combination with scam oriented metas, has an excellent risk-reward
ratio. So far this year, over half of all my AdvanceFee-ish spams
have been sent via West Africa (typically originating there, and
sent via a compromised USA/WEurope IP).
Here's a dump of the complete Countries routes of your samples
(frequency first, then square brackets around the IP immediately
outside your own network):
2 [France], Nigeria
1 [India], Japan
3 [Netherlands], Mexico
1 [Taiwan]
1 [United States], United States, Great Britain
In your samples, the lowest scoring three just happened to have the
most unlikely nations (Nigeria, India+Japan) in their routes.
That won't always be so.
I would NEVER block the Netherlands (it _IS_ one of the Geekiest
nations on the planet!), however it does have many freemailers who
are often compromised, so when it occurs in COMBINATION with an
"unlikely" nation like Mexico, it's worth considering a CAUTIOUS
score.
John Hardin wrote:
>sa-update won't bring 3.2.1 up to 3.2.5; you're not getting the
>up-to-date rules, which may catch those.
+1
Always VERY good advice, particularly given the age difference. :)
- "Chip"
