> Example: I am currently writing a very FEW rules, some from
> scratch and some by adapting the work or ideas of others from
> such lists or web sites.
>
> You have all convinced me that if I post a rule for discussion
> that it is then close to worthless.
It depends on how you post it. And it may depend on where you post it.
We KNOW that posting rules with descriptions of "this hits xxx" in the users
list will in many cases kill a rule.
We know that posting the NAME of a rule and saying "it will catch stuff like
that" does NOT kill the rule.
We know that saying "look at rule XXX in file blah.cf, it is a check for
xxx" does NOT kill the rule.
It is my untested belief that a rule could be posted in full *with no
explanation of what it catches* and it would probably still be a good rule.
The trick to killing a rule seems to require three parts, possibly four:
1. Post the actual rule.
2. Explain what it catches.
3. Post it in the right place (user list is known to be a 'right place').
4. Possibly it will need to be a rule catching one of the cleverer
spammers stuff - one that can read the user's list and follow the
discussion. This is undetermined, but a reasonable theory.
We know that this seemingly will NOT kill a rule:
1 Mention the rule name, and even describe what it catches.
2 Mention where the rule is located, the name, and describe what it
catches
3 Sometimes at least, posting a rule in full, but NOT describing what it
catches.
So rules can be discussed in public. The tricks are to be either a little
vague on how the rule works, or to not post the rule body with the
discussion (refer to where the rule can be found instead), or to not post a
complete rule body, but give an example and describe modifications needed.
Another trick that is probably viable is to discuss local rules that have to
be modified at each shop. By definition spammers aren't going to target
these rules for avoidance, since they can't be sure what it will look like
at your shop, and they probably don't know what your shop is in the first
place.
> I want to write a rule (or maybe a plugin is necessary for this)
> to check "display name" against "user part of email (before the@)".
This one has been discussed quite a number of times, and the general wisdom
is that you can't do it generally, and probably not at all. Bucking the
general wisdom, I've had such a rule for a long time, score it at 4 points,
and it is one of my best spam catchers. I've even posted slightly modified
versions of it on the user's list a few times.
> Now I have no idea if this is going to offer an advantage nor
> precisely how to do it -- I expect a noticable false positive
> rate but also suspect that overall this might hit spam that is
> not being found.
The trick here is to avoid the more common fps. I don't know if you can do
it as a generality as a rule. You might be able to do it in an eval, but I
suspect that unless you are at a company that dictates the form of the email
address, that might be hard. If you are at some place that dictates that
mail looks like "Foo M. Bar" [EMAIL PROTECTED] then you have a fairly easy
task. If you are Hotmail you have a near impossible task.
If you are willing to restrict this to hand-coded rules it gets easier,
since it devolves the intellegence required onto you rather than the rule
code.
> "Shirley Johnson" <[EMAIL PROTECTED]> stands out as a
> high probability of being a bogus email to humans, but
> can a rule or plugin understand this obvious mismatch.
> (And spammers must believe it is important to make
> that display name look reasonable because the vast
> majority of my spam now looks like this.)
It occurs to me a things to try, which would require an eval, would be to
determine the percentage of common letters between the quoted name and the
user name. That might actually be rather high in many cases.
Loren
