please feel free to pass on more FP samples for these rules -- so far we clearly don't have enough, given those scores!
--j. Rick Mallett writes: > We run a centralized spam filtering filtering facility using > SpamAssassin and Mimedefang and we bounce (refuse receipt of) messages > that score higher than 10 and we've been doing this for several years > and never had any complaints of FP's from our users. > > However, one of our users was having trouble receiving a newsletter > from Zimbabwe and the mail logs showed that some of the messages were > scoring a bit over 11 and being refused for that reason. > > When I finally managed to get a copy of the newsletter and run it > through SpamAssassin manually I was surprised to discover that the > bulk of the points came from the checks in 20_advance_fee.cf which are > attempting to identify Nigerian 419 scams and which appear to be far > too aggressive IMO and likely to result in lots of FPs for certain > types of message. > > It also picked up a few points from 99_sare_fraud_post25x.cf and I'm > also wondering if maybe those rules are inappropriate with SA 3.1.7 > which is what I'm running. > > For example, the newsletter, which consisted of several articles > dealing with corruption in Zimbabwe and information about banking > rules and regulations received just under 8.5 points because it had > the words "remit", "business partner", "dollar", "in your country" and > "US$3 million". > > Here are the relevant lines from the debug run > > dbg: rules: ran body rule __FRAUD_WNY ======> got hit: "remit" > dbg: rules: ran body rule __FRAUD_TDP ======> got hit: "business partner" > dbg: rules: ran body rule __FRAUD_DBI ======> got hit: "dollar" > dbg: rules: ran body rule __FRAUD_IPK ======> got hit: "in your country" > dbg: rules: ran body rule __FRAUD_KDT ======> got hit: "US$3 million" > > and here are the scores for having more than 2, 3, 4, and 5 hits on the > various __FRAUD__xxx META rules such as those shown above. > > score ADVANCE_FEE_1 0 0 0.114 0 > score ADVANCE_FEE_2 1.607 0.647 1.189 1.392 > score ADVANCE_FEE_3 2.872 1.760 3.330 3.336 > score ADVANCE_FEE_4 3.024 3.040 3.515 3.727 > > As you can see having those 5 words and/or phrases results in 8.455 > points because all 4 rules succeed and contribute points to the spam > score, whereas it would seem logical that only the one rule with the > highest points should apply, or the points should be a bit lower > to reduce the cumulative affect of hits on all of the rules. > > The newsletter also picked up an additional 1.67 points because > of hits on the following META rules in 99_sare_fraud_post25x.cf which > triggered SARE_FRAUD_X3 > > dbg: rules: ran body rule __SARE_FRAUD_MONEY ======> got hit: "money transfer" > dbg: rules: ran body rule __SARE_FRAUD_LOC ======> got hit: " Zimbabwe " > dbg: rules: ran body rule __SARE_FRAUD_TINHORN ======> got hit: " Mugabe " > dbg: rules: ran body rule __SARE_FRAUD_MISC ======> got hit: "your country" > > which in one case "your country" is a META rule that also ended up > contributing points via 20_advance_fee.cf so I'm now thinking I > should stop using 99_sare_fraud_post25x.cf. > > BTW, I've included some of the sentences from the newsletter that > triggered hits on the various META rules in 20_advance_fee.cf so that > you can see that they are all rather benign. > > MTAs mushroomed in Zimbabwe since 2004 and have primarily served as a > channel for the more than three million Zimbabweans, or more than a > quarter of the country's population, living and working abroad to > remit cash back home through official banking system. > > Former MP and businessman Tirivanhu Mudariki, who together with senior > government officials including Vice-President Joice Mujuru, have been linked > to the Ziscosteel looting saga, is a key business partner of the Mujuru > family. > > However closure of MTAs appeared to have had little impact on the > black market which has continued to flourish with the American dollar > now fetching anything above Z$2 000 compared to the official market > rate of one greenback to Z$250. > > Tekere said wistfully that people in your country have more money than > we have. > > NECI investigators who went to Botswana to probe the Zisco graft > discovered plans were already under way to sell the two subsidiaries > for US$3 million to undisclosed buyers by repaying their parent firm > funds that were used to controversially purchase them in 2001. > > - rick
