The software used to generate the sought rules, or perhaps an old version of it, is in the spamassassin source tree. You can feed it a folder of known non-spams, and a folder of known spams, and it'll auto-generate rules that hit the spams but not the non-spams.
Ah, I documented it some here: https://wiki.apache.org/spamassassin/WritingRules svn checkout http://svn.apache.org/repos/asf/spamassassin/trunk cd trunk/masses/rule-dev ./seek-phrases-in-corpus ham:dir:~/Maildir/ spam:dir:~/Maildir/.bad.spam-missed/ On 03/10, sporkman wrote: > > Hello, > > We are getting a fair amount of very targetted phish attempts to our > userbase. Since we are relatively small, I don't think any of the URIBLs > really help (or phishtank or other lists) since we're not a large bank or > paypal or anything like that. > > I did see some gentleman make a rather valiant attempt at listing all the > common phrases here: > > http://old.nabble.com/introducing-body-J_MAILBOX_FULL-tc33207944.html#a33213220 > > It has a number of errors, and obviously that's not very efficient (I suck > at regexs, but I know enough to know that list can be collapsed). > > Any pointers to a good starting point to take a list like that and make it > usable? The phrasing on these is always very similar - stuff about > upgrading your webmail account, etc. > > We're running qmail/vpopmail, and our upgrade to postfix to at least > front-end qmail is still a ways off. I think with postfix we could probably > catch a bunch of this garbage at the front door. So for now, our only real > tool to fight this is SA. > > I assume we're not the only ones seeing this mess, what are others doing to > counteract this? > > Thanks, > > Charles > -- > View this message in context: > http://old.nabble.com/Better-phish-detection-tp33478328p33478328.html > Sent from the SpamAssassin - Users mailing list archive at Nabble.com. > -- "If you are not paranoid... you may not be paying attention." - j...@creative-net.net, on an IDPA mailing list http://www.ChaosReigns.com