Re: GIF stock spams

Tue, 28 Feb 2006 04:56:32 -0800

Okay I've rewritten the first line of the rule in a way I think is better (mind any line breaks)...
full __JF_STOCKSPAM1a /----- Original Message -----[^\n]*\nFrom:[^\n]+\nTo:[EMAIL PROTECTED]@[^\n]+\nSent:[^\n]+\nSubject:[^\n]+\n{5,20}\w+/i 


I've exchanged the .* and .+ with [^\n] (negated character class) which I 
read is a better method as it doesn't use backtracking. Although I know what 
you mean about {0,xx} being better than .* in order to prevent the rule from 
"running away in unexpected conditions", but I think in this case it's not 
so important because the \n restricts each part of the rule to within one 
line. I mean for example after the "From:" text, the + will allow for 
unlimited characters to follow the colon but only until the end of the 
line - so it's not really possible for the rule to "run away" too far in the 
way you mean - right?! :) Correct me if I'm wrong. But I think this is 
useful because the spammer could actually use a decent length of text 
following the colon on each line - eg. after From: and To: and Subject: 
etc - there could be a decent length of text following - so easier to use 
the + until it reaches the end of the line and the \n. Hope I make sense! I 
understand me anyway which I'm sure should count for something......


Cheers,
Jeremy




----- Original Message ----- 
From: "Loren Wilton" <[EMAIL PROTECTED]>

To: <users@spamassassin.apache.org>
Sent: Tuesday, February 28, 2006 10:33 AM
Subject: Re: GIF stock spams



although I imagine
they would be able to find a more efficient or less FP-risky way of

writing

them.


Not necessarily.  Other than the things I mentioned, I don't see anything
particularly scarey about these rules.  We have certainly written rules of

this sort to catch other things.  By preference we'd go for multiple 
rawbody

rules and a meta.  But there are things that you can't catch reliably that
way, and this might be one of them.

No telling if the rules are actually decent until the mass check results
come out.  You can have something that works really well for you, and it
will hit absolutely nothing for anyone else, or it will FP all over the
place.  Usually in the later case you can see what went wrong and make a
variation that will get around most or all the FPs, and sometimes you can
widen a rule to hit more spam and not FP.

       Loren
























					Reply via email to