It struck me that since individual tripwire rules are at risk of FPs,
but that multiple tripwire hits on the same message are much less so,
it might be worthwhile assigning a significantly higher score to
messages that hit lots of tripwire rules.
Since there are so many rules involved, I've created a set of
intermediate meta rules, as follows:
| meta __tw_meta_A (__tw_AJ || __tw_AQ || __tw_AV || __tw_AZ)
| meta __tw_meta_B (__tw_BD || __tw_BF || __tw_BG || __tw_BH || __tw_BJ || __tw_BK ||
__tw_BL || __tw_BM || __tw_BN || __tw_BP || __tw_BQ || __tw_BT || __tw_BV || __tw_BW
|| __tw_BX || __tw_BZ)
| meta __tw_meta_C (__tw_CB || __tw_CC || __tw_CD || __tw_CF || __tw_CG || __tw_CL ||
__tw_CM || __tw_CN || __tw_CP || __tw_CQ || __tw_CR || __tw_CS || __tw_CV || __tw_CX
|| __tw_CY || __tw_CZ)
etc.
then the ones I actually score:
| meta local_META_TRIPWIRE_01 (__tw_meta_A || __tw_meta_B || __tw_meta_C ||
__tw_meta_D || __tw_meta_E || __tw_meta_F || __tw_meta_G || __tw_meta_H || __tw_meta_I
|| __tw_meta_J || __tw_meta_K || __tw_meta_L || __tw_meta_M || __tw_meta_N ||
__tw_meta_O || __tw_meta_P || __tw_meta_Q || __tw_meta_R || __tw_meta_S || __tw_meta_T
|| __tw_meta_U || __tw_meta_V || __tw_meta_W || __tw_meta_X || __tw_meta_Y ||
__tw_meta_Z)
| meta local_META_TRIPWIRE_02 (__tw_meta_A + __tw_meta_B + __tw_meta_C + __tw_meta_D +
__tw_meta_E + __tw_meta_F + __tw_meta_G + __tw_meta_H + __tw_meta_I + __tw_meta_J +
__tw_meta_K + __tw_meta_L + __tw_meta_M + __tw_meta_N + __tw_meta_O + __tw_meta_P +
__tw_meta_Q + __tw_meta_R + __tw_meta_S + __tw_meta_T + __tw_meta_U + __tw_meta_V +
__tw_meta_W + __tw_meta_X + __tw_meta_Y + __tw_meta_Z > 2)
| meta local_META_TRIPWIRE_05 (__tw_meta_A + __tw_meta_B + __tw_meta_C + __tw_meta_D +
__tw_meta_E + __tw_meta_F + __tw_meta_G + __tw_meta_H + __tw_meta_I + __tw_meta_J +
__tw_meta_K + __tw_meta_L + __tw_meta_M + __tw_meta_N + __tw_meta_O + __tw_meta_P +
__tw_meta_Q + __tw_meta_R + __tw_meta_S + __tw_meta_T + __tw_meta_U + __tw_meta_V +
__tw_meta_W + __tw_meta_X + __tw_meta_Y + __tw_meta_Z > 5)
| meta local_META_TRIPWIRE_10 (__tw_meta_A + __tw_meta_B + __tw_meta_C + __tw_meta_D +
__tw_meta_E + __tw_meta_F + __tw_meta_G + __tw_meta_H + __tw_meta_I + __tw_meta_J +
__tw_meta_K + __tw_meta_L + __tw_meta_M + __tw_meta_N + __tw_meta_O + __tw_meta_P +
__tw_meta_Q + __tw_meta_R + __tw_meta_S + __tw_meta_T + __tw_meta_U + __tw_meta_V +
__tw_meta_W + __tw_meta_X + __tw_meta_Y + __tw_meta_Z > 10)
|
| describe local_META_TRIPWIRE_01 At least one tripwire triplets
| describe local_META_TRIPWIRE_02 More than two tripwire triplets
| describe local_META_TRIPWIRE_05 More than five tripwire triplets
| describe local_META_TRIPWIRE_10 More than ten tripwire triplets
|
| score local_META_TRIPWIRE_01 0.01
| score local_META_TRIPWIRE_02 0.2
| score local_META_TRIPWIRE_05 1.0
| score local_META_TRIPWIRE_10 3.0
Any comments? I don't get enough spam ("only" about 120 a day for an
office of six people) to quickly judge whether this is more effective
than merely scoring individual tripwire rules at 0.07 each or
whatever.
I've put a modified tripwire.cf (based on tripwire 1.16) at
http://www.snoweye.com/john/metatripwire.cf if anyone is interested in
trying this against a corpus in comparison with the standard tripwire
set.
John.
--
-- Over 2400 webcams from ski resorts around the world - www.snoweye.com
-- Translate your technical documents and web pages - www.tradoc.fr
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
