644 – new anti-FP rules ANTIRATWARE

Bug 644 - new anti-FP rules ANTIRATWARE

Summary: new anti-FP rules ANTIRATWARE

Status:	RESOLVED FIXED

Alias:	None

Product:	Spamassassin
Classification:	Unclassified
Component:	Rules (show other bugs)
Version:	2.40CVS
Hardware:	Other other

Importance:	P2 normal
Target Milestone:	---
Assignee:	SpamAssassin Developer Mailing List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2002-08-02 18:43 UTC by Theo Van Dinter
Modified:	2002-08-05 22:59 UTC (History)
CC List:	0 users

Attachment	Type	Modified	Status	Actions	Submitter/CLA Status
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Theo Van Dinter 2002-08-02 18:43:59 UTC

# These are the mailers used for my non-spam
header ANTIRATWARE        User-Agent =~
/^(?:mutt|gnus|mozilla|Microsoft.Outlook.Express|Microsoft.Entourage|kmail|Internet
Messaging Program)\b/i
description ANTIRATWARE   User-Agent header indicates a non-spam MUA

header ANTIRATWARE2       Message-id =~ /^<Pine\./
description ANTIRATWARE2  Message-id indicates a non-spam MUA

OVERALL     SPAM  NONSPAM     S/O   SCORE  NAME
  12857     4276     8581    0.33    0.00  (all messages)
   1535        0     1535    0.00    1.00  ANTIRATWARE2
    623        0      623    0.00    1.00  ANTIRATWARE

Comment 1 Daniel Quinlan 2002-08-02 20:53:32 UTC

Why not have separate rules for all mailers?  That way, if one is exploited,
some may continue to work.

Also, it may make sense to use multiple rules like we do for mailing lists.
(Meaning, check multiple headers to make faking a mailer harder.  X-Mailer
is a good one to include.)

Comment 2 Theo Van Dinter 2002-08-02 22:23:24 UTC

Subject: Re:  new anti-FP rules ANTIRATWARE

On Fri, Aug 02, 2002 at 08:53:32PM -0700, bugzilla-daemon@hughes-family.org wrote:
> Why not have separate rules for all mailers?  That way, if one is exploited,
> some may continue to work.

To make it look like the RATWARE_* ones:

header ANTIRATWARE_01        Message-id =~ /^<Pine\./
description ANTIRATWARE_01   Message-id indicates a non-spam MUA
header ANTIRATWARE_02        User-Agent =~ /^mutt\b/i
description ANTIRATWARE_02   User-Agent header indicates a non-spam MUA
header ANTIRATWARE_03        User-Agent =~ /^gnus\b/i
description ANTIRATWARE_03   User-Agent header indicates a non-spam MUA
header ANTIRATWARE_04        User-Agent =~ /^mozilla\b/i
description ANTIRATWARE_04   User-Agent header indicates a non-spam MUA
header ANTIRATWARE_05        User-Agent =~ /^Microsoft.Outlook.Express\b/i
description ANTIRATWARE_05   User-Agent header indicates a non-spam MUA
header ANTIRATWARE_06        User-Agent =~ /^Microsoft.Entourage\b/i
description ANTIRATWARE_06   User-Agent header indicates a non-spam MUA
header ANTIRATWARE_07        User-Agent =~ /^kmail\b/i
description ANTIRATWARE_07   User-Agent header indicates a non-spam MUA
header ANTIRATWARE_08        User-Agent =~ /^Internet Messaging Program\b/i
description ANTIRATWARE_08   User-Agent header indicates a non-spam MUA

Pine is the odd one out here since it doesn't use a User-Agent, but it does
reliably include itself in the Message-Id.

Comment 3 Marc Perkel 2002-08-02 23:31:57 UTC

Subject: Re: [SAdev]  new anti-FP rules ANTIRATWARE

I think you should change the names of the rules.

USER_AGENT_MUTT
USER_AGENT_MOZILLA

Let's use good names.

BTW, lots of good new rules here. Glad to see others jumping in. I think that 
lots of targeted rules will reduce FP and catch more spam. It improves accuracy,

bugzilla-daemon@hughes-family.org wrote:
> http://www.hughes-family.org/bugzilla/show_bug.cgi?id=644
> 
> 
> 
> 
> 
> ------- Additional Comments From felicity@kluge.net  2002-08-02 22:23 -------
> Subject: Re:  new anti-FP rules ANTIRATWARE
> 
> On Fri, Aug 02, 2002 at 08:53:32PM -0700, bugzilla-daemon@hughes-family.org wrote:
> 
>>Why not have separate rules for all mailers?  That way, if one is exploited,
>>some may continue to work.
> 
> 
> To make it look like the RATWARE_* ones:
> 
> header ANTIRATWARE_01        Message-id =~ /^<Pine\./
> description ANTIRATWARE_01   Message-id indicates a non-spam MUA
> header ANTIRATWARE_02        User-Agent =~ /^mutt\b/i
> description ANTIRATWARE_02   User-Agent header indicates a non-spam MUA
> header ANTIRATWARE_03        User-Agent =~ /^gnus\b/i
> description ANTIRATWARE_03   User-Agent header indicates a non-spam MUA
> header ANTIRATWARE_04        User-Agent =~ /^mozilla\b/i
> description ANTIRATWARE_04   User-Agent header indicates a non-spam MUA
> header ANTIRATWARE_05        User-Agent =~ /^Microsoft.Outlook.Express\b/i
> description ANTIRATWARE_05   User-Agent header indicates a non-spam MUA
> header ANTIRATWARE_06        User-Agent =~ /^Microsoft.Entourage\b/i
> description ANTIRATWARE_06   User-Agent header indicates a non-spam MUA
> header ANTIRATWARE_07        User-Agent =~ /^kmail\b/i
> description ANTIRATWARE_07   User-Agent header indicates a non-spam MUA
> header ANTIRATWARE_08        User-Agent =~ /^Internet Messaging Program\b/i
> description ANTIRATWARE_08   User-Agent header indicates a non-spam MUA
> 
> Pine is the odd one out here since it doesn't use a User-Agent, but it does
> reliably include itself in the Message-Id.
> 
> 
> 
> 
> 
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Spamassassin-devel mailing list
> Spamassassin-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/spamassassin-devel
>

Comment 4 Justin Mason 2002-08-06 06:59:12 UTC

I like these; just checked them in, using Marc's naming convention.
(I don't like the RATWARE naming conv myself, but for that volume
of UAs it's necessary.)