Hi,
On Thu, Jul 13, 2017 at 10:07 AM, Martin Gregorie <mar...@gregorie.org> wrote:
> On Thu, 2017-07-13 at 12:59 +0000, Charles Amstutz wrote:
>> I find it challenging to constantly keep up with campaign's. My
>> guess with the phone number is to try to make it seem more
>> legitimate.
>> More recent, I try to look for general characteristics and go for
>> that, in order to futureproof rules. However, there are always
>> legitimate emails being sent that would trigger a potential rule
>> (depending on what you are matching on)
>>
> I'm continuing to get good results from a multi-level approach:
>
> I use two or more subrules with low scores (0.01 or so) that are
> combined by an AND relation in a meta-rule that triggers a suitably
> spammy score when all subrules get hits.
>
> The subrules are typically automatically assembled lists of words or
> phrases - automatically assembled because that makes maintenance vastly
> easier. The list contents are typically words and phrases found in
> spam, e.g. one list might be selling phrases such as "get you rocks off
> with" that are unlikely to appear in personal or legit commercial mail
> and another might be names or slang terms for less common
> pharmaceuticals.
>
> The basis of this idea, which works surprisingly well in practise, is
> that a hit on one list may be accidental but a message hitting on both
> lists is more likely than not to be spam. A side benefit of this
> approach is that it will also hit combinations that weren't used in any
> of the spam analysed to create the lists, and that this will not
> generate false positives if the list contents are carefully chosen.
>
> I use an awk script to turn easily edited definition files into valid
> SA rules and hand-write the combining meta-rules.
We have a local blocklist that generates rules based on strings
identified in the body, subject and sender. I don't think it's quite
the same, however.
Would you be willing to share a few examples?
We also have a system where we use some of the address collection
rules combined with some of our own rules for catching "list" spam
("Sports enthusiasts", etc).
