Re: Lots of money, score of 0??
On Thu, 29 Mar 2018 08:50:48 -0700 (PDT) John Hardin wrote: > On Thu, 29 Mar 2018, RW wrote: > > > The rule is matching on "$10.99 o" and "£1.70 2 6" respectively. > > Sadly that's kind of unavoidable given spammer obfuscation and the > fact that cultures differ on what character to use for the decimal > point and thousands separator. > > > I've seen other types too, e.g. > > > > https://example.com/?f=a37688909bc4f6 > > > > £20 M voucher > > *that* is a bit unexpected... It's understandable though because it's "£20 M" followed by a word boundary. The other one could be seen as a bug, __LOTSA_MONEY_01 is an ordinary body rule, so a "=a3" that represent a "£" should have already been decoded.
Re: Lots of money, score of 0??
On Thu, 29 Mar 2018, RW wrote: The rule is matching on "$10.99 o" and "£1.70 2 6" respectively. Sadly that's kind of unavoidable given spammer obfuscation and the fact that cultures differ on what character to use for the decimal point and thousands separator. I've seen other types too, e.g. https://example.com/?f=a37688909bc4f6 £20 M voucher *that* is a bit unexpected... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Politicians never accuse you of "greed" for wanting other people's money, only for wanting to keep your own money.-- Joseph Sobran --- 3 days until April Fools' day
Re: Lots of money, score of 0??
On Tue, 27 Mar 2018 12:12:50 -0400 Bill Cole wrote: > On 27 Mar 2018, at 10:24, Robert Boyl wrote: > > > Guys, > > > > Do you usually tune up Lots of money rule? Strange, our > > spamassassin/EFA > > scores 0 and false negative. Imho it should score at least > > something, few > > people would write Million dollars in an email, why not add up > > score? > > > > LOTS_OF_MONEY 0.00 > > > > See https://pastebin.com/dY6iFeYL > > I see a very large number of legitimate and definitely wanted > messages hitting the LOTS_OF_MONEY rule. I had a look at a few of mine and most of them don't actually involve huge sums of money, it's a very aggressive rule. In a straightforward amount "LOTS" starts at $1000.01, but with other digits or letter Os after it can be pushed down to $1.00. e.g. $10.99 on top of ... 1 Maris Piper Potatoes £1.70 2 6 Pork Sausages £4.50 The rule is matching on "$10.99 o" and "£1.70 2 6" respectively. I've seen other types too, e.g. https://example.com/?f=a37688909bc4f6 £20 M voucher
Re: Lots of money, score of 0??
On 27 Mar 2018, at 10:24, Robert Boyl wrote: Guys, Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA scores 0 and false negative. Imho it should score at least something, few people would write Million dollars in an email, why not add up score? LOTS_OF_MONEY 0.00 See https://pastebin.com/dY6iFeYL I see a very large number of legitimate and definitely wanted messages hitting the LOTS_OF_MONEY rule. 849 in my own mail in the past year, excluding mail with quoted spam. This includes YOUR message asking about it.
Re: Lots of money, score of 0??
On Tue, 27 Mar 2018, Robert Boyl wrote: Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA scores 0 and false negative. Imho it should score at least something, few people would write Million dollars in an email, why not add up score? LOTS_OF_MONEY 0.00 It's not *intended* to score by itself, it's intended to be used in metas with other suspicious indicators. It's scored informative by itself just to give an indicator in the rule hits list that a mention of large sums of mney was present. You are welcome to assign a score locally if you feel that way. I don't think it's justified in the default rules. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Win95: Where do you want to go today? Vista: Where will Microsoft allow you to go today? --- 5 days until April Fools' day
Re: Lots of money, score of 0??
On 03/27/2018 09:24 AM, Robert Boyl wrote: Guys, Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA scores 0 and false negative. Imho it should score at least something, few people would write Million dollars in an email, why not add up score? LOTS_OF_MONEY 0.00 See https://pastebin.com/dY6iFeYL Thanks! Rob I score it about 2 points in my MailScanner instances with a block threshold of 6.0. My local rules have a huge list of whitelist_auth entries to cover the trustworthy senders that might hit this and other "spammy" rules that aren't definite spam/poison pills. -- David Jones
Lots of money, score of 0??
Guys, Do you usually tune up Lots of money rule? Strange, our spamassassin/EFA scores 0 and false negative. Imho it should score at least something, few people would write Million dollars in an email, why not add up score? LOTS_OF_MONEY 0.00 See https://pastebin.com/dY6iFeYL Thanks! Rob