On Wed, 2013-02-06 at 17:45 +0200, Eliezer Croitoru wrote:
> Sorry but I didn't had much time to understand all of the rules syntax.
>
When developing a meta rule that combines subrules there';s littlew
point in writing descriptions for the subrules. In addition I find its
helpful to do the initial development without the leading underscores
because this way you can see these rules firing. After the combination
is working as I want it to I put the underscores in. So, I'd start your
main rule like this:
describe HBRW_SPAM Trap spam thats < 50% hebrew from specific a sender
header HSFROM From =~ /spamadmin\@ngtech.co.il/i
mimeheader HSENC Content-type =~ /charset=.{0,3}windows-1251/i
body HSHCH /[\xC0-\xCB\xCD-\xDB\xDF-\xFB]?/
tflags HSHCH multiple
body HSTCH /[\x30-\x39\x41-\x5A\x61-\x7A\x80-\xFF]?/
tflags HSTCH multiple
meta HSPCT ( (HSHCH * 100) / (HSTCH + 1 ) )
meta HBRW_SPAM (HSPCT < 1) && HSFROM && HSENC
score HBRW_SPAM 10.3
Then this gets tested on a set of messages that exercise every subrule as well
as
checking that the metas work correctly. In this case I'd manually create
simpler
message bodies that exercise every test case (I think you'd need at least 10
test
messages to fully test HBRW_SPAM and all its subrules). With this technique
you do need to use the lint check but don't need debugging because the
list of rules 6that fires tell you whether a rule fired or didn't *and* will
show the number of times a 'multiple' fired.
After all is working correctly I put the underscores back:
#
# HBRW_SPAM detects messages from spamad...@ngtech.co.il with a message body or
# part using the Windows 1251 (Hebrew) charset and that contains mostly
# non-Hebrew text.
#
describe HBRW_SPAM Trap spam thats < 50% hebrew from specific a sender
header __HSFROM From =~ /spamadmin\@ngtech.co.il/i
mimeheader __HSENC Content-type =~ /charset=.{0,3}windows-1251/i
body __HSHCH /[\xC0-\xCB\xCD-\xDB\xDF-\xFB]?/
tflags __HSHCH multiple
body __HSTCH /[\x30-\x39\x41-\x5A\x61-\x7A\x80-\xFF]?/
tflags __HSTCH multiple
meta __HSPCT ( (__HSHCH * 100) / (__HSTCH + 1 ) )
meta HBRW_SPAM (__HSPCT < 1) && __HSFROM && __HSENC
score HBRW_SPAM 10.3
After that I re-lint and try all test cases again. I this case I'd do
the underscore additions on two stages: first add them to HSHCH and
HSTCH so I can see that HSPCT still works and, if so, put the rest back
and re-test.
In a complex rule like this its well worth preceeding it with a set of
comment lines to describe it (as above). I like to use shorter names for
subrules (so the subrule name length won't be longer than the meta rule
name when the underscores have been put in) and to name them so their
names emphasize that they are part of the meta-rule.
If you find out later that you want to use a subrule in more than one
meta-rule its easy enough to pull it out as a free-standing rule and
give it a description, a meaningful name and score it as 0.01, e.g.
describe HEBREW-CHARSET MIME part or message body uses CHARSET 1251
mimeheader HEBREW-CHARSET Content-type =~ /charset=.{0,3}windows-1251/i
score HEBREW-CHARSET 0.01
and, of course, change the name of the subrule in the original metarule.
Forgetting this last step won't be picked up by a lint check. The meta
rule(s) that use the old name will merely think the subrule didn't fire.
HTH
Martin
