249 – proposing my "best of" new rules to add

Bug 249 - proposing my "best of" new rules to add

Summary: proposing my "best of" new rules to add

Status:	RESOLVED FIXED

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	SVN Trunk (Latest Devel Version)
Hardware:	All other

Importance:	P2 enhancement
Target Milestone:	---
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2002-04-23 17:36 UTC by Gregor Lawatscheck
Modified:	2002-06-09 14:30 UTC (History)
CC List:	0 users

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gregor Lawatscheck 2002-04-23 17:36:11 UTC

Hi. I've been using Spamassassin at a ca. 250 mails/day site for a good three
week an actually bothered looking at all of the 1400 Spamassassin reports I got
in this time and any surplus stuff that got through to devise some new rules.

I thought I'd share them with the world to make spamassassin even better.
Some of this stuff is probably controversial and can be dropped if deemed to
harsh. Other stuff needs incorporating in exisiting rules and yet other stuff
can be optimized as a regex... I've taken my "best of" new rules - the ones that
hit more than 10 times in total - some few hit about that a day now...

Some of them are so good they can go straight in I think.
If you think it's all rubbish - throw it away - I tried anyway. These new rules
haven't caused a single false positive yet and I'm pretty glad with them!


Comment: Vitafactory owns ;) Their stuff is no opt-in and can't get out of the
list stuff. I get about three a day!

body VITAFACTORY_ETM                            /vitafactory.com/i
describe VITAFACTORY_ETM                        ETM Vitafactory shit
score VITAFACTORY_ETM                           5.00


Comment: somehow not in the current ask you to unsubscribe stuff

body TAKE_OFF_ETM                               /Take off list/i
describe TAKE_OFF_ETM                           ETM take off shit
score TAKE_OFF_ETM                              3.00

Comment: Pretty spammy with exclamation mark

body FREE_MEMBERSHIP_ETM                        /FREE Membership!/i
describe FREE_MEMBERSHIP_ETM                    ETM Free membershit
score FREE_MEMBERSHIP_ETM                       3.50

Comment: Equally...

body NO_RISK_ETM                                /No Risk!/i
describe NO_RISK_ETM                            ETM No Risk shit
score NO_RISK_ETM                               3.50

Comment: I see that quite often

body LIMITED_TIME_OFFER_ETM                     /Limited Time Offer/i
describe LIMITED_TIME_OFFER_ETM                 ETM Limited Time Shit
score LIMITED_TIME_OFFER_ETM                    3.50


Comment: somehow not triggered by the current click below rules... probably best
to integrate them there

body CLICK_BELOW_ETM                            /Click on the link below/i
describe CLICK_BELOW_ETM                        ETM click link below
score CLICK_BELOW_ETM                           2.00


Comment: Order now! with exclamation mark is a pretty positive sign for spam ;)

body ORDER_NOW_ETM                              /ORDER NOW!/i
describe ORDER_NOW_ETM                          ETM order now shit
score ORDER_NOW_ETM                             5.00

Comment: Absolute must in the last couple of weeks... find out anything about
anybody with Internet Desktop Bleh La Spy software - yea right - i bet it's some
dodgy trojan ;)

body INTERNET_SPY_ETM                           /Internet.* SPY/i
describe INTERNET_SPY_ETM                       ETM Internet Spy Shite
score INTERNET_SPY_ETM                          4.00


Comment: This one is a burner - hits about 10 times a day! ;)

body INCREASE_SALES_ETM                          /increase.*sales/i
describe INCREASE_SALES_ETM                      ETM increase sales shit
score INCREASE_SALES_ETM                         2.00


Comments: Hits quite often (at least twice a day here)

body EXT_LOW_RATES_ETM                          /extremely Low Rates/i
describe EXT_LOW_RATES_ETM                      ETM ext low rates shit
score EXT_LOW_RATES_ETM                         2.00

Comment: Might be a bit harsh, but one could give this a low score.  Porn in the
subject is a very good indicator. Hits often here

header FREEPORN_SUBJECT_ETM                     Subject =~ /Porn/i
describe FREEPORN_SUBJECT_ETM                   ETM pr0n in Subject
score FREEPORN_SUBJECT_ETM                      1.50

Comment: Casino in subject equally is a very good indicator for spam

header CASINO_SUBJECT_ETM                       Subject =~ /Casino/i
describe CASINO_SUBJECT_ETM                     ETM casino in Subject
score CASINO_SUBJECT_ETM                        1.50


Comment: Haven't seen Storm Post being used in legitimate newsletters yet!

header STORM_POST_ETM                           X-Mailer =~ /StormPost/i
describe STORM_POST_ETM                         ETM StormPost Spam Mailer
score STORM_POST_ETM                            5.00

Comment 1 Gregor Lawatscheck 2002-04-23 18:48:52 UTC

OK just updated to CVS and rechecked rules changes
sorry, one of the rules I submitted rules was redundant:

body NO_OBLIGATION_ETM                          /No Obligation/i

it's already in CVS/release...
---------

there's also a similar in CVS:

body INCREASE_SALES_ETM                          /increase.*sales/i
describe INCREASE_SALES_ETM                      ETM increase sales shit
score INCREASE_SALES_ETM                         2.00

BUT: this one will also catch increased sales as well as increase sale! and so
forth. So patching it to .* is probably a good idea!!

Comment 2 Craig Hughes 2002-04-23 20:36:47 UTC

Subject: Re:  proposing my "best of" new rules to add


> body INCREASE_SALES_ETM                          /increase.*sales/i
> describe INCREASE_SALES_ETM                      ETM increase sales shit
> score INCREASE_SALES_ETM                         2.00

This is probably even better as /increas.{,5}sales/ to catch ing as well as e,
es, ed and so on

C

Comment 3 Duncan Findlay 2002-06-09 21:29:11 UTC

What's the status on this bug? I'd like to cut down on open bugzilla bugs :-)

Comment 4 Craig Hughes 2002-06-09 22:30:42 UTC

Hmm, I guess we sort of forgot about this one.  I think many of the rules here can be made more 
generic - eg /no risk/i instead of /no risk!/\

One thing raised by the FREEPORN and CASINO subject word checks.  Might be worth thinking 
about some.

Meanwhile, I've merged in many of the concepts from these rules into the existing body rules.