spamassassin-users January 2011 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: SARE and RulesDuJour still relevant

Re: SARE and RulesDuJour still relevant

From: Warren Togami Jr. <wtogami_at_nospam>
Date: Sat Jan 15 2011 - 00:19:42 GMT
To: Ned Slider <ned@unixmail.co.uk>

On 01/14/2011 01:09 PM, Ned Slider wrote:
> On 14/01/11 21:04, Warren Togami Jr. wrote:
>>
>> Anyone else have effective local rules? Please let me know and I'll put
>> them into the nightly masscheck for testing.
>>
>> Warren
>>
>
>
> header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
> describe NSL_RCVD_HELO_USER Received from HELO User
>
> Might want to combine into a meta rule with existing NSL_RCVD_FROM_USER
> rule:
>
> header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
> describe NSL_RCVD_FROM_USER Received from User
>
> The above are particularly effective (here) against 419 / bank phish
> type emails sent from compromised webmail accounts. Hit rate is not
> great, but the FP count is near zero.
>
> Regards,
>
> Ned

Thanks Ned,

Both of the above rules are already in
trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf.

http://ruleqa.spamassassin.org/20110114-r1058896-n/NSL_RCVD_FROM_USER/detail
0.5% spam hit rate, and some ham hits, however they are all in the
ancient enron corpus that we will soon be removing.

http://ruleqa.spamassassin.org/20110114-r1058896-n/T_NSL_RCVD_HELO_USER/detail
Very few spam hits, and a number of ham hits but all in DOS's corpus.
Perhaps we should ask him if they really are ham?

Could you please describe how these rules work, and why the combination
of them would be useful?

NSL_RCVD_FROM_USER already has a score.

It appears that the combination of the two rules will be zero masscheck
FP's, but a maximum of 0.1% spam hits. I suppose this is worthwhile for
a night of testing, but I suspect it will be too small?

Warren