On 01/14/2011 01:09 PM, Ned Slider wrote:
On 14/01/11 21:04, Warren Togami Jr. wrote:
Anyone else have effective local rules? Please let me know and I'll put
them into the nightly masscheck for testing.
Warren
header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
describe NSL_RCVD_HELO_USER Received from HELO User
Might want to combine into a meta rule with existing NSL_RCVD_FROM_USER
rule:
header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
describe NSL_RCVD_FROM_USER Received from User
The above are particularly effective (here) against 419 / bank phish
type emails sent from compromised webmail accounts. Hit rate is not
great, but the FP count is near zero.
Regards,
Ned
Thanks Ned,
Both of the above rules are already in
trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf.
http://ruleqa.spamassassin.org/20110114-r1058896-n/NSL_RCVD_FROM_USER/detail
0.5% spam hit rate, and some ham hits, however they are all in the
ancient enron corpus that we will soon be removing.
http://ruleqa.spamassassin.org/20110114-r1058896-n/T_NSL_RCVD_HELO_USER/detail
Very few spam hits, and a number of ham hits but all in DOS's corpus.
Perhaps we should ask him if they really are ham?
Could you please describe how these rules work, and why the combination
of them would be useful?
NSL_RCVD_FROM_USER already has a score.
It appears that the combination of the two rules will be zero masscheck
FP's, but a maximum of 0.1% spam hits. I suppose this is worthwhile for
a night of testing, but I suspect it will be too small?
Warren
