Summary for the impatient: Do not write rules like this. Instead, train Bayes, make sure you're using DNSBLs.
On 11/25/2011 09:49 AM, Sergio wrote: > I wrote all the HELO spammers that SA didn't caught ... > header CHARLY_RULE1 ALL =~ /(...)/i > describe CHARLY_RULE1 Charly Spammers > score CHARLY_RULE1 11 Given the description in your email, that should probably be: header CHARLY_RULE1 X-Spam-Relays-Untrusted =~ / helo=(?:...) /i describe CHARLY_RULE1 A custom list of uncaught relay HELOs score CHARLY_RULE1 4 You should be *very* careful about scoring any individual rule at or above the spam flagging threshold (default is 5, do not lower). There is almost always a better (and safer!) solution. > My concern is, is too much for just one rule or the rule can grow > without limit? Let's just say you don't need to worry about that. We have several 150+ character rules on SA's trunk and I've seen rules with regexp lengths in the thousands (not that that's necessarily a good thing, but it does work, albeit slowly). Still, this seems like a really bad idea; one hammy HELO in there and the whole thing starts hurting. I think you'll be *far* better served by training bayes. You should also double check to ensure your DNS lookups are properly configured and plugins like Razor are turned on. We don't have the best of resources to walk you through this, but you can start with http://wiki.apache.org/spamassassin/DnsBlocklists#Questions_And_Answers
signature.asc
Description: OpenPGP digital signature