RE: score's and custom rules
Jimmy Stewpot wrote: > Hello, > > I am currently trying to configure spam assassin with some custom rules > to block certain words which are being used in a large amount of spam > that the email servers receive. When I put the following rules into the > local.cf file > > body VIjAGRA /\bVIjAGRA\b/i > score VIjAGRA 3.0 > describe VIjAGRA VIAGRA_SPAM I've been getting the same junk mails you are, but I've also been getting it as: -VIAGvRA -VIAGeRA -VIeAGRA Hence, I think this might be a better rule: bodyLOC_OBFU_VIAGRA /\bV[a-z]?I[a-z]?A[a-z]?G[a-z]?R[a-z]?A\b/ score LOC_OBFU_VIAGRA 3.0 describeLOC_OBFU_VIAGRA A lame attempt to obfuscate "viagra" Rinse and repeat for CIALvIS, AMBIvEN, VALIvUM...or a rule that'll catch them all in one: bodyLOC_OBFU_DRUGS /\b[VCA][a-z]?[IMA][a-z]?[ABL][a-z]?[GLI][a-z]?[RIEU][a-z]?[ASNM]\b/ score LOC_OBFU_DRUGS 3.0 describe LOC_OBFU_DRUGS Attempting to hide one of the 5-letter drugs I removed the "/i" option because they're showing up only with all caps drugs and lowercase "insertions" for me, and without them, the rules will match "viagra" just as much as "VIAGjRA". Unless you're sure you won't get any legitimate mail with any of these drug names in it, I'd also change this to a subject header rule instead of a body rule.
Re: score's and custom rules
On Monday 17 July 2006 15:25, Jimmy Stewpot took the opportunity to write: > JamesDR wrote: > > I'm willing to bet that these two: > > AWL,BAYES_00 > > Are killing your score. > > Check why bayes thinks this is ham, I notice that it did not autolearn > > (autolearn=no), I'm also willing to bet that your bayes DB is pretty > > much hosed (it thinks this mail is def. ham -- the BAYES_00 hit) > > Clear AWL, Clear and start from scratch on Bayes also (my recommendation > > would be to turn off autolearn.) It needn't be "hosed" if you sent a test message from yourself with just "VIjAGRA" in it. > How do you clear the AWL and Bayes Lists is that just a case of deleting > the files or is there some special command to do that ? *If* it's so screwed up that you have to start over completely, that's the easiest way to do it. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgp6PtHUHO9Ov.pgp Description: PGP signature
Re: score's and custom rules
Jimmy Stewpot wrote: Hello, How do you clear the AWL and Bayes Lists is that just a case of deleting the files or is there some special command to do that ? Regards, Jimmy JamesDR wrote: Jimmy Stewpot wrote: Hello, I am currently trying to configure spam assassin with some custom rules to block certain words which are being used in a large amount of spam that the email servers receive. When I put the following rules into the local.cf file body VIjAGRA /\bVIjAGRA\b/i score VIjAGRA 3.0 describe VIjAGRA VIAGRA_SPAM I can see from the mail logs that the email is now seeing that the term is used in the email but the score is not being increased as the email passes through the spamassassin process. Here is the log file Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message <[EMAIL PROTECTED]> for clamav:89 Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) for clamav:89 in 1.3 seconds, 1293 bytes. Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 - AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=51601,mid=<[EMAIL PROTECTED]>,bayes=1.66533453693773e-16,autolearn=no I am a little confused as to what is actually wrong with the rules to make it so that the score is not bieng incremented as the spam is being parsed by SA. Any advice would be greatly appreciated. Regards, Jimmy I'm willing to bet that these two: AWL,BAYES_00 Are killing your score. Check why bayes thinks this is ham, I notice that it did not autolearn (autolearn=no), I'm also willing to bet that your bayes DB is pretty much hosed (it thinks this mail is def. ham -- the BAYES_00 hit) Clear AWL, Clear and start from scratch on Bayes also (my recommendation would be to turn off autolearn.) That all depends on how they are stored.. Are you using SQL? then a simple DELETE FROM...should work. Please post some info about how your bayes/awl db's are stored. -- Thanks, James
Re: score's and custom rules
Hello, How do you clear the AWL and Bayes Lists is that just a case of deleting the files or is there some special command to do that ? Regards, Jimmy JamesDR wrote: Jimmy Stewpot wrote: Hello, I am currently trying to configure spam assassin with some custom rules to block certain words which are being used in a large amount of spam that the email servers receive. When I put the following rules into the local.cf file body VIjAGRA /\bVIjAGRA\b/i score VIjAGRA 3.0 describe VIjAGRA VIAGRA_SPAM I can see from the mail logs that the email is now seeing that the term is used in the email but the score is not being increased as the email passes through the spamassassin process. Here is the log file Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message <[EMAIL PROTECTED]> for clamav:89 Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) for clamav:89 in 1.3 seconds, 1293 bytes. Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 - AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=51601,mid=<[EMAIL PROTECTED]>,bayes=1.66533453693773e-16,autolearn=no I am a little confused as to what is actually wrong with the rules to make it so that the score is not bieng incremented as the spam is being parsed by SA. Any advice would be greatly appreciated. Regards, Jimmy I'm willing to bet that these two: AWL,BAYES_00 Are killing your score. Check why bayes thinks this is ham, I notice that it did not autolearn (autolearn=no), I'm also willing to bet that your bayes DB is pretty much hosed (it thinks this mail is def. ham -- the BAYES_00 hit) Clear AWL, Clear and start from scratch on Bayes also (my recommendation would be to turn off autolearn.)
Re: score's and custom rules
Jimmy Stewpot wrote: Hello, I am currently trying to configure spam assassin with some custom rules to block certain words which are being used in a large amount of spam that the email servers receive. When I put the following rules into the local.cf file body VIjAGRA /\bVIjAGRA\b/i score VIjAGRA 3.0 describe VIjAGRA VIAGRA_SPAM I can see from the mail logs that the email is now seeing that the term is used in the email but the score is not being increased as the email passes through the spamassassin process. Here is the log file Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message <[EMAIL PROTECTED]> for clamav:89 Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) for clamav:89 in 1.3 seconds, 1293 bytes. Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 - AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=51601,mid=<[EMAIL PROTECTED]>,bayes=1.66533453693773e-16,autolearn=no I am a little confused as to what is actually wrong with the rules to make it so that the score is not bieng incremented as the spam is being parsed by SA. Any advice would be greatly appreciated. Regards, Jimmy I'm willing to bet that these two: AWL,BAYES_00 Are killing your score. Check why bayes thinks this is ham, I notice that it did not autolearn (autolearn=no), I'm also willing to bet that your bayes DB is pretty much hosed (it thinks this mail is def. ham -- the BAYES_00 hit) Clear AWL, Clear and start from scratch on Bayes also (my recommendation would be to turn off autolearn.) -- Thanks, James
Re: score's and custom rules
On Monday 17 July 2006 15:11, Jimmy Stewpot took the opportunity to write: > Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message > <[EMAIL PROTECTED]> for clamav:89 > Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) for > clamav:89 in 1.3 seconds, 1293 bytes. > Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 - > AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA > scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhos >t.localdomain,raddr=127.0.0.1,rport=51601,mid=[EMAIL PROTECTED]>,bayes=1.66533453693773e-16,autolearn=no > > I am a little confused as to what is actually wrong with the rules to > make it so that the score is not bieng incremented as the spam is being > parsed by SA. Any advice would be greatly appreciated. There is nothing wrong. AWL and BAYES_00 pulls the score back down to 0.5. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpxe3S4OiUiO.pgp Description: PGP signature
score's and custom rules
Hello, I am currently trying to configure spam assassin with some custom rules to block certain words which are being used in a large amount of spam that the email servers receive. When I put the following rules into the local.cf file body VIjAGRA /\bVIjAGRA\b/i score VIjAGRA 3.0 describe VIjAGRA VIAGRA_SPAM I can see from the mail logs that the email is now seeing that the term is used in the email but the score is not being increased as the email passes through the spamassassin process. Here is the log file Jul 17 14:06:25 poopey spamd[19323]: spamd: processing message <[EMAIL PROTECTED]> for clamav:89 Jul 17 14:06:27 poopey spamd[19323]: spamd: clean message (0.5/5.0) for clamav:89 in 1.3 seconds, 1293 bytes. Jul 17 14:06:27 poopey spamd[19323]: spamd: result: . 0 - AWL,BAYES_00,MSGID_FROM_MTA_HEADER,VIjAGRA scantime=1.3,size=1293,user=clamav,uid=89,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=51601,mid=<[EMAIL PROTECTED]>,bayes=1.66533453693773e-16,autolearn=no I am a little confused as to what is actually wrong with the rules to make it so that the score is not bieng incremented as the spam is being parsed by SA. Any advice would be greatly appreciated. Regards, Jimmy
