On 4/1/2015 12:41 PM, Amir Caspi wrote:
Going back to this:
On Apr 1, 2015, at 7:47 AM, Bowie Bailey <bowie_bai...@buc.com> wrote:
That might be reasonable for most email addresses, but there are quite a few
people who have a usable name or nickname as the user part of their email.
(j...@example.com). It would not make sense to score an email just for having
their name in the subject.
Well, this wouldn't be the first or only rule that doesn't work for everyone... plus, I would
certainly make it case sensitive, so that "John" wouldn't match "john@", for
example. This rule could be disabled by default and turned on by people who want it, or vice
versa. I'd also imagine it would generate a lower score from masscheck than the regular TO_IN_SUBJ
would, and hence would be of less impact towards FPs (but that extra few-tenths of a point could
make the difference to push a lot of these spams over the threshold, particularly if they hit
BAYES_999 but not any other rules, as many snowshoe spams often do in the early stages).
And then there are addresses which use normal words in the address which would
also not make sense to score. For example: i...@example.com,
ab...@example.com, supp...@example.com, etc.
Indeed, and those likely-FP words could be explicitly excluded via negative
match, so that qw(info abuse support mail) etc. wouldn't score. The same could
be done for common names, I suppose, although I agree that gets a bit
cumbersome.
Anyway, it was just a thought... I'd certainly support such a rule, even if it
had to be manually enabled or rescored.
I don't think it would work as a standard rule. It would have too much
variance in the FP rate depending on the email address and trying to
maintain a list of problematic words/names would probably be too
cumbersome in the general case.
It might work as an informational rule (score 0.001) that admins could
use in meta rules or increase scoring on a per-user basis.
--
Bowie
