Am 30.05.2016 um 01:20 schrieb John Hardin:
On Sun, 29 May 2016, Reindl Harald wrote:Am 29.05.2016 um 23:38 schrieb John Hardin:On Thu, 26 May 2016, RW wrote: > I noticed that Bayes is picking-up on very strong tokens from "eval" and > "code" in headers like this: > > X-PHP-Originating-Script: 1013:global.php(1938) : eval()'d code > > The "eval()'d code" part is in just over 2% of my spam, but it's > never occurred in a single ham in my corpus. It doesn't do too well in masscheck: http://ruleqa.spamassassin.org/20160528-r1745852-n/__PHP_ORIG_SCRIPT_EVAL/detailwhere is the rule?https://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jhardin/20_misc_testing.cfif masscheck pretends that this hits a relevant amount of hamIt doesn't. 3 out of 139k.
so what did you want to say with "It doesn't do too well in masscheck"
while we see 250 sampls *at all* with a "X-PHP-Originating-Script"Here is the basic "header exists" rule for that same masscheck run: http://ruleqa.spamassassin.org/20160528-r1745852-n/__HAS_PHP_ORIG_SCRIPT/detail
i see there a lot of stuff but not the rule source itself but that is only "has that header" i guess
header CUST_PHP_EVAL X-PHP-Originating-Script =~ /eval\(\)\'d code/
score CUST_PHP_EVAL 1.5 describe CUST_PHP_EVAL Looks like from exploited webserver
It hits 1595 spam and 1972 ham. Where are you getting only 250 hits for that header?
in our corpus containg 90000 eml files
signature.asc
Description: OpenPGP digital signature
