Re: Rules based on number of lines?

[Christoph (Stucki) von Stuckrad]

On Thu, 07 Feb 2013, Marc Perkel wrote:

> How would you write a rule to detect a message with less than 5
> lines and has a link in it?

I think, I did that a few years ago with the help of the attached
plugin and based on that, one rule for the lines, another stock rule
for the url, and a specific meta-rule to kill the spam.

To use it, you'll need to adapt the line loading the module, to the
place where you put the file (I have put it simply into spamassassin's
setup beside the config file).

It MIGHT BE DANGEROUS to use it! I have no Idea how much it will
slow down the check of mails, because it 'gets the body' and
either simply counts lines or even worse checks/counts only nonempty
lines. The spams I killed with it were sent with random numbers of
empty lines before and after the url!  On our little department
server with a few k mails per day it is no problem, but on a big
mailhub every millisecond might count.

As you see in the attached *.cf you get a hit for either exactly
N lines (checking 'n') or 'less than N' (checking '-n').

Stucki

-- 
Christoph von Stuckrad      * * |nickname |Mail <stu...@mi.fu-berlin.de> \
Freie Universitaet Berlin   |/_*|'stucki' |Tel(Mo.,Mi.):+49 30 838-75 459|
Mathematik & Informatik EDV |\ *|if online|  (Di,Do,Fr):+49 30 77 39 6600|
Takustr. 9 / 14195 Berlin   * * |on IRCnet|Fax(home):   +49 30 77 39 6601/

NrOfLines.pm
Description: Perl program

#
# Versuch ein Number-of-lines more/less than - Plugin zu schreiben
#
loadplugin Mail::SpamAssassin::Plugin::NrOfLines 
/export/local-1/filter/etc/mail/spamassassin/NrOfLines.pm
#
# absolute count
#
# so far only info rule (to be combined later)
# NO line at all?
body            L_NO_BODY               eval:body_lines('0')
describe        L_NO_BODY               has NO body line
score           L_NO_BODY               0.001
# less than 6 (just being curious)
body            L_LT6_LINE              eval:body_lines('-6')
describe        L_LT6_LINE              has less than six body lines
score           L_LT6_LINE              0.001
# exactly one line
body            L_ONE_LINE              eval:body_lines(1)
describe        L_ONE_LINE              has exactly one line
score           L_ONE_LINE              0.001
# exactly two
body            L_TWO_LINES             eval:body_lines(2)
describe        L_TWO_LINES             has exactly two lines
score           L_TWO_LINES             0.001
# exactly three
body            L_THREE_LINES           eval:body_lines(3)
describe        L_THREE_LINES           has exactly three lines
score           L_THREE_LINES           0.001
#
#    nonempty count
#
# so far only info rule (to be combined later)
# NO nonempty line
body            L_EMPTY_BODY            eval:nonempty_lines('0')
describe        L_EMPTY_BODY            has no NON EMPTY body line
score           L_EMPTY_BODY            0.001
# less than 6
body            L_LT6_NE_LINE           eval:nonempty_lines('-6')
describe        L_LT6_NE_LINE           has less than six NON EMPTY body lines
score           L_LT6_NE_LINE           0.001
# exactly one line
body            L_ONE_NE_LINE           eval:nonempty_lines(1)
describe        L_ONE_NE_LINE           has exactly one NON EMPTY line
score           L_ONE_NE_LINE           0.001
# exactly two
body            L_TWO_NE_LINES          eval:nonempty_lines(2)
describe        L_TWO_NE_LINES          has exactly two NON EMPTY lines
score           L_TWO_NE_LINES          0.001
# exactly three
body            L_THREE_NE_LINES                eval:nonempty_lines(3)
describe        L_THREE_NE_LINES                has exactly three NON EMPTY 
lines
score           L_THREE_NE_LINES                0.001