On Thu, 2017-07-13 at 12:59 +0000, Charles Amstutz wrote: > I find it challenging to constantly keep up with campaign's. My > guess with the phone number is to try to make it seem more > legitimate. > More recent, I try to look for general characteristics and go for > that, in order to futureproof rules. However, there are always > legitimate emails being sent that would trigger a potential rule > (depending on what you are matching on) > I'm continuing to get good results from a multi-level approach:
I use two or more subrules with low scores (0.01 or so) that are combined by an AND relation in a meta-rule that triggers a suitably spammy score when all subrules get hits. The subrules are typically automatically assembled lists of words or phrases - automatically assembled because that makes maintenance vastly easier. The list contents are typically words and phrases found in spam, e.g. one list might be selling phrases such as "get you rocks off with" that are unlikely to appear in personal or legit commercial mail and another might be names or slang terms for less common pharmaceuticals. The basis of this idea, which works surprisingly well in practise, is that a hit on one list may be accidental but a message hitting on both lists is more likely than not to be spam. A side benefit of this approach is that it will also hit combinations that weren't used in any of the spam analysed to create the lists, and that this will not generate false positives if the list contents are carefully chosen. I use an awk script to turn easily edited definition files into valid SA rules and hand-write the combining meta-rules. Martin
