On Fri, 16 Apr 2021, Steve Dondley wrote:
First, thanks to everyone on the list how has given me a hand over the past
couple of weeks as I get my "sea legs" with spamassassin. It's working well
for me now but I obviously still have more to learn.
For one, I'm still uncertain on the best way to fine tune SA to beat back
some tricky spam. Like this one that comes from a gmail account but spoofs a
fake, expensive order on amazon to try to phish the user.
This is telling:
From: "or...@amazon.com" <gk5751...@gmail.com>
...and it's detected:
0.9 NAME_EMAIL_DIFF Sender NAME is an unrelated email address
...but the score is low due to that happening a lot in legit email, so we
need tighter focus.
I'll add this to my sandbox and see how it does:
header __FROM_NAME_AMAZONCOM From:name =~ /\bamazon\.com\b/i
meta POSSIBLE_AMAZON_PHISH_01 (__FROM_NAME_AMAZONCOM && NAME_EMAIL_DIFF)
meta POSSIBLE_AMAZON_PHISH_02 (__FROM_NAME_AMAZONCOM &&
!__HDR_RCVD_AMAZON)
You are welcome to add it to your local config. Potentially other
variations would be useful.
-0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20%
Train your Bayes...
What is this?
0.0 GB_FROM_NAME_FREEMAIL Freemail spear phish with free mail
Is that local? If not, you might want to increase the score on that a bit.
Giovanni, is that something of yours that's not in your SA sandbox?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Our politicians should bear in mind the fact that
the American Revolution was touched off by the then-current
government attempting to confiscate firearms from the people.
-----------------------------------------------------------------------
3 days until the 246th anniversary of The Shot Heard 'Round The World
