I've got a couple custom meta rules, that don't seem to be applying how
I expected them to.
When I run a message that should hit on these rules I get:
[14109] dbg: rules: ran one_line_body rule __LOCAL_PHISHER_USERNAME ======> got
hit: "Username:"
[14109] dbg: rules: ran one_line_body rule __LOCAL_PHISHER_PASSWORD ======> got
hit: "Password:"
[14109] dbg: rules: ran header rule __LOCAL_REPLYTO_NOTUS ======> got hit:
"negative match"
Which results in the rule: LOCAL_PHISH_FROMREPLY getting set with score
0.1, which is great, that is what I expect. However there is a rule that
builds on that which doesn't fire, specifically the
LOCAL_PHISHER_USERPASS rule which does the math to add the
LOCAL_PHISH_FROM_REPLY to the __LOCAL_PHISHER_PASSWORD and
__LOCAL_PHISHER_USERNAME to get over a score of 1, but even though those
rules fire, the math addition doesn't seem to get over 1 and thus the
meta rule doesn't fire...
what am I missing here?
body __LOCAL_PHISHER_PASSWORD /Password(.{0,10}\([\s\.\*\_]+\)|(
.{0,4})?:)/i
header __LOCAL_RETURN_PATH_ISUS Return-Path =~ /\...@ourdomain\.net/
header __LOCAL_FROM_ISUS From =~ /\...@ourdomain\.net/
header __LOCAL_REPLYTO_EXISTS exists:Reply-To
header __LOCAL_REPLYTO_NOTUS Reply-to !~ /\...@ourdomain\.net/
meta LOCAL_PHISH_FROMREPLY (( __LOCAL_RETURN_PATH_ISUS ||
__LOCAL_FROM_ISUS ) && ( __LOCAL_REPLYTO_EXISTS && __LOCAL_REPLYTO_NOTUS ))
score LOCAL_PHISH_FROMREPLY 0.1
body __LOCAL_PHISHER_USERNAME
/User(\s)?(n|N)ame(.{0,10}\([\s\.\*\_]+\)|( .{0,4})?:)/i
meta LOCAL_PHISHER_USERPASS ((( 0.2 * __LOCAL_PHISHER_USERNAME ) +
( 0.4 * __LOCAL_PHISHER_PASSWORD ) + ( 0.4 * LOCAL_PHISH_FROMREPLY)) > 1)
describe LOCAL_PHISHER_USERPASS Typical phish: asks for username and
password, we dont do that
score LOCAL_PHISHER_USERPASS 10.5
thanks,
micah
