On 1/11/2014 9:05 AM, Alex wrote:
Hi,
On Fri, Jan 10, 2014 at 10:32 PM, Kevin A. McGrail <kmcgr...@pccc.com
<mailto:kmcgr...@pccc.com>> wrote:
I checked in basic and I didn't get very far just looking at the
first rule using your pastebin example. It didn't appear to hit
your rules.
Might be something lost via pastebin but it's late and I'm tired
so could be my mistake as well. However, spamassassin -t -D <
/tmp/2.mbox 2>&1 | grep __RB_GT showed nothing.
It hit all of the subrules and LOC_SHORT here, but I don't understand
why it doesn't detail the specifics of what triggered each of them.
So you might want to look at 3.4.0 from SVN and look at using
these rules:
body __KAM_BODY_LENGTH_LT_128 eval:check_body_length('128')
describe __KAM_BODY_LENGTH_LT_128 The length of the
body of the email is less than 128 bytes.
body __KAM_BODY_LENGTH_LT_256 eval:check_body_length('256')
describe __KAM_BODY_LENGTH_LT_256 The length of the
body of the email is less than 256 bytes.
body __KAM_BODY_LENGTH_LT_512 eval:check_body_length('512')
describe __KAM_BODY_LENGTH_LT_512 The length of the
body of the email is less than 512 bytes.
body __KAM_BODY_LENGTH_LT_1024 eval:check_body_length('1024')
describe __KAM_BODY_LENGTH_LT_1024 The length of the
body of the email is less than 1024 bytes.
I have v3.4 running on a few of the systems now. My rule (one you
helped me write, actually) detects a body with a short URL, not just
the body length, although this looks helpful.
Thanks,
Alex
Here's an example of a short email rule I've been working on if it helps:
#NEWS!
header __KAM_NEWS1 Subject =~ /^(?:Fwd:
?)?(?:NEWS|WEBSITE|ARTICLE)$/i
body __KAM_NEWS2 /(?:Hello|hey|hi)!/i
meta KAM_NEWS (__KAM_NEWS1 + __KAM_NEWS2 +
__KAM_BODY_LENGTH_LT_128 + __HAS_ANY_URI >= 3)
describe KAM_NEWS Forged Emails with NEWS!
score KAM_NEWS 9.0
Though I've also considered using these rules as well:
#URI COUNT - REQUIRES 3.3 OR LATER
if (version >= 3.003000)
uri __KAM_COUNT_URIS /^./
tflags __KAM_COUNT_URIS multiple maxhits=16
describe __KAM_COUNT_URIS A multiple match used to count URIs in a
message, including http:// and em...@email.com - use one of the meta
rules below instead of directly using this one
meta __KAM_HAS_0_URIS (__KAM_COUNT_URIS == 0)
meta __KAM_HAS_1_URIS (__KAM_COUNT_URIS >= 1)
meta __KAM_HAS_2_URIS (__KAM_COUNT_URIS >= 2)
meta __KAM_HAS_3_URIS (__KAM_COUNT_URIS >= 3)
meta __KAM_HAS_4_URIS (__KAM_COUNT_URIS >= 4)
meta __KAM_HAS_5_URIS (__KAM_COUNT_URIS >= 5)
meta __KAM_HAS_10_URIS (__KAM_COUNT_URIS >= 10)
meta __KAM_HAS_15_URIS (__KAM_COUNT_URIS >= 15)
endif
Regards,
KAM