On 2021-06-04 at 10:35:26 UTC-0400 (Fri, 4 Jun 2021 16:35:26 +0200)
Martin Flygenring via mailop <[email protected]>
is rumored to have said:
Have anyone found a good way to block these using SpamAssassin? We
tried to make some rules, but it's hard to make any with that
gibberish and short subject and body.
SA's has built-in non-scoring rules for short HTML bodies but for some
reason not short plaintext. That should be fixable...
The rule we made initially looked at the length of the body. It was
good at catching these, but unfortunately it also got some false
positives due to how SpamAssassin splits longer mails into smaller
segments:
All body paragraphs (double-newline-separated blocks text) are
turned into a line breaks removed, whitespace normalized single line.
Any lines longer than 2kB are split into shorter separate lines
(from a boundary when possible), this may unexpectedly prevent
pattern from matching. Patterns are matched independently against each
of these lines.
This is almost certainly due to not using "rawbody" or "full" rules
instead of "body" rules which cook the body as you describe. It is also
important to use the '/m' regex modifier to match anything more than a
single line.
That causes some long mails to get tagged as short mails with less
than 20 characters, due to one of the lines in the long email had less
than 20 characters.
I'd have to see the specific of the case to be sure, but I expect that
is a consequence of using a 'body' rule without the multiline modifier.
Additionally some subjects deviate from the "3 2 1 5"-character
pattern, like "Habvd l qh"
Trying to abstract the Subject word-length pattern is hopeless.
I have not seen this particular pattern in spam but if you are
interested in getting SA help from a broader audience that may include
people who have found solutions, the SpamAssassin Users list is at
[email protected]
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
