On Thu, 2013-04-11 at 18:25 -0400, Alex wrote: > Hi, > > Recently I noticed that this rule was getting FPs from mail on a > SourceForge-related mailing list that I thought should have > nothing to > do with Yahoo, so I added in another (obfuscated) rule. The > combination > now looks like this: > > # > # Yahoo message-ID but sender not Yahoo. > # > > describe MG_YAHOO_FS Yahoo message-ID, not From: yahoo or > associates > header __MG_YAHFS1 Message-id =~ /\@.*yahoo\.com/ > header __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/ > > header __MG_YAHFS3 From =~ /talk21\.com/ > meta __MG_YAHFSM (__MG_YAHFS2 || __MG_YAHFS3) > meta MG_YAHOO_FS (__MG_YAHFS1 && !__MG_YAHFSM) > score MG_YAHOO_FS 50 > > > It looks like we also need to add rogers.com and bellsouth.net to the > exclude list. > Agreed. I've only seen FPs from talk21 so that's all that's included in my version of the rule.
To extend it, I'd suggest converting the regex in __MG_YAHFS3 into a list of alternates because that should be faster and use less CPU than adding single-shot rules and combining them with a extended version of __MG_YAHFSM. I personally dislike writing any rule or subrule that extends out of a 80 col text window, so if __MG_YAHFS3 extends too far for that you can either add a set of similar subrules or take a deep breath and use something like my portmanteau rule generator to build a monster stand-alone rule and linking it in via __MG_YAHFSM. The generator is here: http://www.libelle-systems.com/free/ and look for the 'portmanteau' link. The generator lets you store the regex phases etc in an easily edited form which is converted into an SA rule by a bash shell script that uses an awk program to do the heavy lifting. If I need to extend my version I'll probably start with no more than one extra subrule, i.e. matching around 6-8 domains max and, if it extends further, swap to using the portmanteau rule generator. Martin