On Wed, 2009-06-17 at 11:18 -0700, omehegan wrote: > Lately a lot of 419 and investment spams > have been getting through with very low SA scores. Can anyone take a look at > these and see if there's another ruleset I should use to trap them?
One thing I've been fiddling with for a while is a ruleset to detect fill-in-the-form type stuff that you see a lot in scam emails. I've recently modified it to use ReplaceTags, as the older non-tokenized version has reached the point of unmaintainability. If you're willing to try beta rules, you are welcome to download a patched ReplaceTags plugin that implements multipass, and the FillForm ruleset. As always, reduce the scores somewhat at first until you gain confidence in the rules. I get fairly good results against the fraud spams I get, but the results against the SA masscheck are disappointing. I'd like to think that's because the spam corpa don't have a lot of scam messages... :) I'd appreciate some feedback if you do try the rules out, especially any false positives with FILL_THIS_FORM_LONG. http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/ReplaceTags.pm http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jhardin/20_fillform.cf -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
