>From: MySQL Student [mailto:mysqlstud...@gmail.com]
>I'm having trouble catching spam that contains lotto/money schemes or
>simply asks the user to email a particular address for a loan or
>otherwise. Here's an example:
Please use pastebin.
>It hit BAYES_99, but that's it. Are there any rules that pertain to
>'loan' or this type of mail that can somehow block these?
FreeMail.pm and the SOUGHT_FRAUD rules.
>The others I don't understand how to block are those with lottery or
>money offers, such as this:
>Are there rules that look for large sums of money in the body? What
>else can be done to block these?
There are lots of Money rules, but I had to make a couple of custom ones to
catch things like that one:
body MILLION_EURO
/\b(million|hundred.{0.40}\bthousand)\b.{0,40}\b(euro|pound)s?\b/i
describe MILLION_EURO Talks about millions of Euros
score MILLION_EURO 2.391 1.777 1.501 1.528
body AE_GBP /\d{3}[,.]\d{3}(?:[,.]\d\d)?\s?gbp/i
describe AE_GBP Mentions hundreds of thousands (or millions) of
British pounds
score AE_GBP 2.00
Then, I usually create a meta rule, like this pair:
body AE_FRAUD_ADVICE /\byou are\b.{0,20}\badvised to contact\b/i
describe AE_FRAUD_ADVICE Someone offering free advice
score AE_FRAUD_ADVICE 1.0
meta AE_ADVICE_WITH_MONEY AE_FRAUD_ADVICE && (MILLION_EURO || MILLION_USD
|| US_DOLLARS_3 || NA_DOLLARS || FRT_DOLLAR || AE_GBP || __FRAUD_DBI)
describe AE_ADVICE_WITH_MONEY Has advice and mentions much money
score AE_ADVICE_WITH_MONEY 2.0
--
Dan McDonald, CCIE #2495, CISSP # 78281, CNX
