[Fwd: Re: *****POSIBLE SPAM***** Re: Annoying stocks scams]
please suspend this users mailing list account --- Begin Message --- Mensaje Automatico *** Este usuario no se encuentra operativo, para cualquier asunto le ruego se pongan en contacto con Leandro Gayango [EMAIL PROTECTED] *** >>> ehall 03/06/07 19:24 >>> Spam detection software, running on the system "vm-antispam2.mpsistemas.es", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On 3/6/2007 5:30 AM, [EMAIL PROTECTED] wrote: > It's my first meta rule, which only gives a score if both conditions are > true, and I was wondering if there's a possibility to make the score more > "intelligent" : [...] Content analysis details: (5.1 points, 4.0 required) pts rule name description -- -- 1.0 MY_DSL I could use a BL for this. 0.5 NO_RDNSSending MTA has no reverse DNS (Postfix variant) 0.2 MR_NOT_ATTRIBUTED_IP Beta rule: an non-attributed IPv4 found in headers 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5000] 2.0 RATWR10_MESSID Message-ID has ratware pattern (HEXHEX.HEXHEX@) 0.4 UPPERCASE_50_75message body is 50-75% uppercase 0.0 NO_RDNS2 Sending MTA has no reverse DNS 1.0 RCVD_IN_SORBS RCVD_IN_SORBS --- End Message ---
Re: Annoying stocks scams
On 3/6/2007 5:30 AM, [EMAIL PROTECTED] wrote: > It's my first meta rule, which only gives a score if both conditions are > true, and I was wondering if there's a possibility to make the score more > "intelligent" : my local rules use combinations. any message that hits AT LEAST one rule gets the L_STOCKS_1 match. messages that hit more than one ALSO get a separate score, in addition to L_STOCKS_1: metaL_STOCKS_1 (__L_STOCKS_01 || __L_STOCKS_02 || __L_STOCKS_03 || __L_STOCKS_04 || __L_STOCKS_05 || __L_STOCKS_06 || __L_STOCKS_07 || __L_STOCKS_08 || __L_STOCKS_09 || __L_STOCKS_10 || __L_STOCKS_11 || __L_STOCKS_12 || __L_STOCKS_13 || __L_STOCKS_14 || __L_STOCKS_15 || __L_STOCKS_16 || __L_STOCKS_17 || __L_STOCKS_18 || __L_STOCKS_19 || __L_STOCKS_20 || __L_STOCKS_21 || __L_STOCKS_22 || __L_STOCKS_23 || __L_STOCKS_24 || __L_STOCKS_25 || __L_STOCKS_26 || __L_STOCKS_27 ) describeL_STOCKS_1 One or more stock markers score L_STOCKS_1 1.0 metaL_STOCKS_2 (( __L_STOCKS_01 + __L_STOCKS_02 + __L_STOCKS_03 + __L_STOCKS_04 + __L_STOCKS_05 + __L_STOCKS_06 + __L_STOCKS_07 + __L_STOCKS_08 + __L_STOCKS_09 + __L_STOCKS_10 + __L_STOCKS_11 + __L_STOCKS_12 + __L_STOCKS_13 + __L_STOCKS_14 + __L_STOCKS_15 + __L_STOCKS_16 + __L_STOCKS_17 + __L_STOCKS_18 + __L_STOCKS_19 + __L_STOCKS_20 + __L_STOCKS_21 + __L_STOCKS_22 + __L_STOCKS_23 + __L_STOCKS_24 + __L_STOCKS_25 + __L_STOCKS_26 + __L_STOCKS_27 ) == 2) describeL_STOCKS_2 Two stock markers score L_STOCKS_2 4.0 metaL_STOCKS_3 (( __L_STOCKS_01 + __L_STOCKS_02 + __L_STOCKS_03 + __L_STOCKS_04 + __L_STOCKS_05 + __L_STOCKS_06 + __L_STOCKS_07 + __L_STOCKS_08 + __L_STOCKS_09 + __L_STOCKS_10 + __L_STOCKS_11 + __L_STOCKS_12 + __L_STOCKS_13 + __L_STOCKS_14 + __L_STOCKS_15 + __L_STOCKS_16 + __L_STOCKS_17 + __L_STOCKS_18 + __L_STOCKS_19 + __L_STOCKS_20 + __L_STOCKS_21 + __L_STOCKS_22 + __L_STOCKS_23 + __L_STOCKS_24 + __L_STOCKS_25 + __L_STOCKS_26 + __L_STOCKS_27 ) == 3) describeL_STOCKS_3 Three stock markers score L_STOCKS_3 9.0 metaL_STOCKS_4 (( __L_STOCKS_01 + __L_STOCKS_02 + __L_STOCKS_03 + __L_STOCKS_04 + __L_STOCKS_05 + __L_STOCKS_06 + __L_STOCKS_07 + __L_STOCKS_08 + __L_STOCKS_09 + __L_STOCKS_10 + __L_STOCKS_11 + __L_STOCKS_12 + __L_STOCKS_13 + __L_STOCKS_14 + __L_STOCKS_15 + __L_STOCKS_16 + __L_STOCKS_17 + __L_STOCKS_18 + __L_STOCKS_19 + __L_STOCKS_20 + __L_STOCKS_21 + __L_STOCKS_22 + __L_STOCKS_23 + __L_STOCKS_24 + __L_STOCKS_25 + __L_STOCKS_26 + __L_STOCKS_27 ) > 3) describeL_STOCKS_4 Four or more stock markers score L_STOCKS_4 20.0 My scores are high because I have some mail accounts on other networks that are lightly whitelisted and I need to hit the spams that come from there. Do not use those scores or else you will fry mailing lists etc.
Re: Annoying stocks scams
Rick Cooper wrote: Sorry to mess up the thread, I lost the original -Original Message- From: Dhawal Doshy [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 06, 2007 9:39 AM To: users@spamassassin.apache.org Subject: Re: Annoying stocks scams [EMAIL PROTECTED] wrote: Hi List! [ ... ] meta HILO_STOCKS ( __HILO_STOCKS1 && __HILO_STOCKS2 ) describe HILO_STOCKS Looks like stocks scam score HILO_STOCKS 3.5 It's my first meta rule, which only gives a score if both conditions are true, and I was wondering if there's a possibility to make the score more "intelligent" : - if __HILO_STOCKS1 fires up, i would like to give the score maybe 0.5 - if __HILO_STOCKS2 matches as well together with __HILO_STOCKS2, make it 3.5 [ ... ] Define two metas, the first one hits only when 1 is true and 2 is false The second hits when both are true. You have to use the negation for 2 In meta one or you would double dip whenever both are true. meta HILO_STOCKS_1 ( __HILO_STOCKS1 && !__HILO_STOCKS2 ) meta HILO_STOCKS_2 ( __HILO_STOCKS1 && __HILO_STOCKS2 ) describe HILO_STOCKS_1 Looks like stocks scam First Hit Only describe HILO_STOCKS_2 Looks like stocks scam Both Hit score HILO_STOCKS_1 0.5 score HILO_STOCKS_2 3.5 If you wanted to score the 0.5 whenever either 1 or 2 is true and the other is false meta HILO_STOCKS_1 ( (__HILO_STOCKS1 && !__HILO_STOCKS2) || (!__HILO_STOCKS1 && __HILO_STOCKS2) ) Hi Rick, Though this looks simpler, you are effectively adding an extra meta.. you could simply replicate the AND/OR effect by modifying the scores. body HILO_STOCKS_1 whatever1 body __HILO_STOCKS_2 whatever2 meta HILO_STOCKS ( HILO_STOCKS1 && __HILO_STOCKS2 ) score HILO_STOCKS_1 0.5 score HILO_STOCKS 3.0 Only HILO_STOCKS_1 ==> 0.5 Only __HILO_STOCKS2 ==> Nothing Both ==> 0.5 + 3.0 Though i'm not sure how much overhead one extra meta will have??
RE: Annoying stocks scams
Sorry to mess up the thread, I lost the original > -Original Message- > From: Dhawal Doshy [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 06, 2007 9:39 AM > To: users@spamassassin.apache.org > Subject: Re: Annoying stocks scams > > [EMAIL PROTECTED] wrote: > > Hi List! > > [ ... ] > > meta HILO_STOCKS ( __HILO_STOCKS1 && __HILO_STOCKS2 ) > > describe HILO_STOCKS Looks like stocks scam > > score HILO_STOCKS 3.5 > > > > It's my first meta rule, which only gives a score if both > conditions are > > true, and I was wondering if there's a possibility to make > the score > > more "intelligent" : > > > > - if __HILO_STOCKS1 fires up, i would like to give the > score maybe 0.5 > > - if __HILO_STOCKS2 matches as well together with > __HILO_STOCKS2, make > > it 3.5 [ ... ] Define two metas, the first one hits only when 1 is true and 2 is false The second hits when both are true. You have to use the negation for 2 In meta one or you would double dip whenever both are true. meta HILO_STOCKS_1 ( __HILO_STOCKS1 && !__HILO_STOCKS2 ) meta HILO_STOCKS_2 ( __HILO_STOCKS1 && __HILO_STOCKS2 ) describe HILO_STOCKS_1 Looks like stocks scam First Hit Only describe HILO_STOCKS_2 Looks like stocks scam Both Hit score HILO_STOCKS_1 0.5 score HILO_STOCKS_2 3.5 If you wanted to score the 0.5 whenever either 1 or 2 is true and the other is false meta HILO_STOCKS_1 ( (__HILO_STOCKS1 && !__HILO_STOCKS2) || (!__HILO_STOCKS1 && __HILO_STOCKS2) ) Rick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Annoying stocks scams
[EMAIL PROTECTED] wrote: Hi List! I'm getting hit by a bunch of annoying stock scams which aren't found by any of my sare lists, they keep on scoring low. So I decided to write a custom rule, which seem to work pretty well for my case: body __HILO_STOCKS1 /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\ Price|Price)[\:\ \t]+\$[\d\ ]+?(.*)(Last|Low|Growth|High|Sale|Price)/i body __HILO_STOCKS2 /(hotlist|r[e3]cord|publicity|n[e3]ws|invest|incr[e3]as[e3]|[e3]xplosion|pric[e3]|high|pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol)/i meta HILO_STOCKS ( __HILO_STOCKS1 && __HILO_STOCKS2 ) describe HILO_STOCKS Looks like stocks scam score HILO_STOCKS 3.5 It's my first meta rule, which only gives a score if both conditions are true, and I was wondering if there's a possibility to make the score more "intelligent" : - if __HILO_STOCKS1 fires up, i would like to give the score maybe 0.5 - if __HILO_STOCKS2 matches as well together with __HILO_STOCKS2, make it 3.5 You could define: body HILO_STOCKS1 ... desc HILO_STOCKS1 ... score HILO_STOCKS1 ... body __HILO_STOCKS2 ... and create a meta meta HILO_STOCKS ( HILO_STOCKS1 && __HILO_STOCKS2 ) You could also rename __HILO_STOCKS2 to HILO_STOCKS2 to make it a stand-alone rule..
Annoying stocks scams
Hi List! I'm getting hit by a bunch of annoying stock scams which aren't found by any of my sare lists, they keep on scoring low. So I decided to write a custom rule, which seem to work pretty well for my case: body __HILO_STOCKS1 /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\ Price|Price)[\:\ \t]+\$[\d\ ]+?(.*)(Last|Low|Growth|High|Sale|Price)/i body __HILO_STOCKS2 /(hotlist|r[e3]cord|publicity|n[e3]ws|invest|incr[e3]as[e3]|[e3]xplosion|pric[e3]|high|pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol)/i meta HILO_STOCKS ( __HILO_STOCKS1 && __HILO_STOCKS2 ) describe HILO_STOCKS Looks like stocks scam score HILO_STOCKS 3.5 It's my first meta rule, which only gives a score if both conditions are true, and I was wondering if there's a possibility to make the score more "intelligent" : - if __HILO_STOCKS1 fires up, i would like to give the score maybe 0.5 - if __HILO_STOCKS2 matches as well together with __HILO_STOCKS2, make it 3.5 Any other comments on this rule? Thanks!
