RE: Personal Rule
I used the second option and had a couple of problems. First problem was quickly solved; double underscores needed to stop the header rules adding to the score. Second problem is that the "blank" name is scoring the same as if it were the wrong name. > From: Mike Spamassassin [mailto:[EMAIL PROTECTED] >> >> This is working pretty well so far. >> Thanks for you help with this. >> >> I would like to enhance it to cater for the situations where I am >> not in the "To" address (e.g. I am in CC: to Bcc: or the "mailing >> list" situation. >> >> How would I do a test of the form: >> >> If To: email address contains ernstoff.net then check for To: real >> name contains Mike or Michael or is blank? > > That is a bit more complex. Meta rules may be the best way to go > here. > > header _TO_MYEMAIL To:addr =~ /ernstoff\.net/i > header _CC_MYEMAIL Cc:addr =~ /ernstoff\.net/i > > header _TO_MYNAME To:name =~ /\b(?:Mike|Michael)\b|^$/i > header _CC_MYNAME Cc:name =~ /\b(?:Mike|Michael)\b|^$/i > > meta NOT_MY_NAME (_TO_MYEMAIL && ! _TO_MYNAME) > || (_CC_EMAIL && ! _CC_MYNAME) > describe NOT_MY_NAME My email address, but not my name > score NOT_MY_NAME 1 > > (Note that the meta command should be all on one line) > > The rule names that start with an underscore are defined as sub-rules > and are not scored separately. > > Also, keep in mind that the :addr and :name modifiers only grab the > first address or real name on the line. If there are multiple > addresses or real names, they are ignored. You may have better > results just leaving off the :addr and :name modifiers and accepting > that it will miss a few by matching the name inside the email address > ([EMAIL PROTECTED], for example). > > header _TO_MYEMAIL To =~ /ernstoff\.net/i > header _CC_MYEMAIL Cc =~ /ernstoff\.net/i > > header _TO_MYNAME To =~ /\b(?:Mike|Michael)\b(?!\@)|^$/i > header _CC_MYNAME Cc =~ /\b(?:Mike|Michael)\b(?!\@)|^$/i > > meta NOT_MY_NAME ( _TO_MYEMAIL && ! _TO_MYNAME ) > || ( _CC_EMAIL && ! _CC_MYNAME ) > describe NOT_MY_NAME My email address, but not my name > score NOT_MY_NAME 1 > > The extra stuff on the name regex ensures that the name is not > immediately followed by an "@" to try to avoid matching on obvious > email addresses. > > It is possible to parse it all out, but as there are quite a few valid > formats, this would be far more trouble than it is worth. > > Bowie > >
RE: Personal Rule
This is working pretty well so far. Thanks for you help with this. I would like to enhance it to cater for the situations where I am not in the "To" address (e.g. I am in CC: to Bcc: or the "mailing list" situation. How would I do a test of the form: If To: email address contains ernstoff.net then check for To: real name contains Mike or Michael or is blank? > From: Mike Spamassassin [mailto:[EMAIL PROTECTED] >> >> > From: Mike Spamassassin [mailto:[EMAIL PROTECTED] >> >> >> >> I have seen a rule to identify that the "From" address does not >> >> have a "real name", which I presume is the description (i.e. in >> >> my case "Mike Spamassassin"). I would like to have a rule which >> >> identifies emails where the "To" address does not contain either >> >> "Mike" or "Michael". Has anyone created a similar rule, or can >> >> anyone point me in the right direction. >> > >> > As has been pointed out before, this is generally a bad idea. >> > There are lots of newsletters and mailing lists (including this >> > one) that do not put your name in the "To" field. >> > >> > If you want to try it, you can use a rule such as this: >> > >> > header NOT_MY_NAME To:name !~ /\b(?:Mike|Michael)\b/i >> > score NOT_MY_NAME 0.5 >> > describe NOT_MY_NAME To does not contain Mike or Michael >> > >> > Adjust the score to your liking. Don't put it too high until you >> > are sure it's not going to produce too may false positives. >> > >> > If you do this, you may need to whitelist some of your mailing >> > lists and newsletters. >> >> Thanks for your help. >> I will try this out, and see how it goes. >> Presumably it could be amended to check for Mike, Michael or blank to >> avoid the problem you mentioned. >> I will look up the regular expression syntax and see if I can >> suss it out. > > I'm not quite sure how to check for the absence of a real name. I > guess I could go find the rule that checks the From line, but I'm too > lazy at the moment. :) > > This might work: > > header NOT_MY_NAME To:name !~ /\b(?:Mike|Michael)\b|^$/i > > It is still susceptible to false positives, tho. How about this > example: > > To: "Mailing List" <[EMAIL PROTECTED]> > > Since SA uses Perl regular expressions, these two pages may be useful: > > Perl Regular Expressions Quick Start > http://perldoc.perl.org/perlrequick.html > > Perl Regular Expressions Tutorial > http://perldoc.perl.org/perlretut.html > > Bowie > >
Re: Personal Rule
So far so good. I have given this rule a score of 1. 4 is classified as spam and 2 is filtered into a MaybeSpam folder. I have implemented the rule to allow blank/Mike/Michael > From: "Mike Spamassassin" <[EMAIL PROTECTED]> > >>I have seen a rule to identify that the "From" address does not have a >> "real name", which I presume is the description (i.e. in my case "Mike >> Spamassassin"). >> I would like to have a rule which identifies emails where the "To" >> address >> does not contain either "Mike" or "Michael". >> Has anyone created a similar rule, or can anyone point me in the right >> direction. > > You'll be sooorr! The idea is extremely susceptible to > false positives and negatives. > > {o.o} > > >
RE: Personal Rule
Thanks for your help. I will try this out, and see how it goes. Presumably it could be amended to check for Mike, Michael or blank to avoid the problem you mentioned. I will look up the regular expression syntax and see if I can suss it out. > From: Mike Spamassassin [mailto:[EMAIL PROTECTED] >> >> I have seen a rule to identify that the "From" address does not have a "real name", which I presume is the description (i.e. in my case "Mike Spamassassin"). I would like to have a rule which identifies emails where the "To" address does not contain either "Mike" or "Michael". Has anyone created a similar rule, or can anyone point me in the right direction. > > As has been pointed out before, this is generally a bad idea. There are lots of newsletters and mailing lists (including this one) that do not put your name in the "To" field. > > If you want to try it, you can use a rule such as this: > > header NOT_MY_NAME To:name !~ /\b(?:Mike|Michael)\b/i > score NOT_MY_NAME 0.5 > describe NOT_MY_NAME To does not contain Mike or Michael > > Adjust the score to your liking. Don't put it too high until you are sure it's not going to produce too may false positives. > > If you do this, you may need to whitelist some of your mailing lists and newsletters. > > Bowie > >
Personal Rule
I have seen a rule to identify that the "From" address does not have a "real name", which I presume is the description (i.e. in my case "Mike Spamassassin"). I would like to have a rule which identifies emails where the "To" address does not contain either "Mike" or "Michael". Has anyone created a similar rule, or can anyone point me in the right direction. Thanks in advance Mike
Re: sa-learn error message
>> Everything seems to work OK, but I get one error message. >> When I run sa-learn --sync I get >> "Parameter to use lib must be directory, not file at >> $HOME/local/lib/perl5/i386-linux/Razor2/Client/Agent.pm line 13" > > Just from the error message, I would assume you had set up Razor, or at > least enabled the razor rules. And there is something wrong with the way > you set it up. It looks like you have to specify a path someplace (maybe > in > razor configuration?) and you have pointed to a file instead of a > directory. > > Loren > > Thanks Loren and Theo, both for the suggestions and for responding so quickly. I had assumed the lib was the name of some kind of a perl variable. Once you pushed me in the direction of it being the name of a file or directory I did a "find" from local and found two occurrences, one being a file the other being a directory. The first one, the lib file was not part of SpamAssassin or razor so I moved it, and now the error message has gone. Mike
sa-learn error message
I have installed SpamAssassin 3.0.3 on Debian Linux using the SingleUserUnixInstall instructions on the SpamAssassin Wiki, as I do not have root access. Perl version is 5.6.1 Everything seems to work OK, but I get one error message. When I run sa-learn --sync I get "Parameter to use lib must be directory, not file at $HOME/local/lib/perl5/i386-linux/Razor2/Client/Agent.pm line 13" I had the same problem with SpamAssassin 3.0.2 Can anyone point me in the right direction? I know Unix but not much Linux and very little perl. Thanks in advance Mike
Re: Is there such a test?
I'd take that bet. While you are almost certainly correct with the likes of those who subscribe to this group, who often have multiple email addresses, out there in [EMAIL PROTECTED] land, and hotmail world, most people have a single email address strongly related to their name. Back to the original question: Regardless of whether anyone thinks it is a good test or not, has anyone yet created such a test? > Mike Spamassassin wrote: > >>Point taken, but I still think it would be a valid test. >>Like all SpamAssassin tests it should only be one of many indicators. >> > > No, not really. There's a minimum useful S/O ratio for spam rules. > > I'd bet $5.00 that this rule would have a S/O under 0.80 in the > corpus.(ie: no more 80% of it's hits were spam, and at least 20% were ham) > >
Re: Is there such a test?
Point taken, but I still think it would be a valid test. Like all SpamAssassin tests it should only be one of many indicators. In particular all the ones that I receive I would expect to have "Mike" or "Michael" in the description of my email address. I would also like to be able to pick out those from "Microsoft Support" which are not from microsoft.com and other typical phishing mails. > At 10:00 AM 3/15/2005, Mike Spamassassin wrote: >>I have just received spam from >> [EMAIL PROTECTED] >>Is there a test which identifies that the description (Esmeralada >>Bouchard) bears no resemblance to the given sender's address? > > No.. It's quite common for normal people to have that. > > For example, take a look at Theo Van Dinter's email address. The only > letters in common between his name and his email username are t,i, and e. > (The username part is "felicity", and the domain has no resemblance to his > name either.. "kludge") > > And what about Paul Shupak, who uses "List Mail User" as a description, > and > "track" as a username? > > Or these other combinations from this mailing lists (domains removed to > reduce harvesting problems) > > "Ben Wylie" sasssin@ > "Kai Schaetzl" maillists@ > "Matt Yackley" sare@ > "Matthias Keller" linux@ > > >
Is there such a test?
I have just received spam from [EMAIL PROTECTED] Is there a test which identifies that the description (Esmeralada Bouchard) bears no resemblance to the given sender's address? Similarly I sometimes receive spam mail to my email address but with a completely unrecognisable description. Are there any tests to identify these discrepancies between the email addresses and their descriptions?