Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Enthusiast Zone > Networking > SpamAssassin custom rule

SpamAssassin custom rule
Thread Tools
zro
Mac Elite
Join Date: Nov 2003
Location: The back of the room
Status: Offline
Reply With Quote
May 31, 2014, 10:50 PM
 
SpamAssassin version: 3.3.2-r929478
System: OS X Server 10.7
SpamAssassin n00b level: Ultimate

Starting a couple of weeks ago I'd been getting a couple of like spam e-mails every few days. It's been slowly ramping up to a couple times a day. These e-mails look like this: http://i.imgur.com/0YLBDxm.png The highlighting is to show the random text colored close to the background peppered between <span> after <span> of the "real" message.

SpamAssassin includes a rule to spot HTML that includes "many" spans (MANY_SPAN_IN_TEXT) but it's configed to only find 5 before throwing a pretty low spam score. These e-mails contain literally several hundred (800+) <span> tags. I really don't want to bump the score for the included rule so I modified a copy of it and dropped it into /private/etc/mail/spamassassin/local.cf

Unfortunately it doesn't get loaded. Not sure what I'm missing or if I'm going about this all wrong. You can see at the bottom I've just bumped the score of the two rules that seem the most useful for tagging this type of message. This works, but I worry about false positives.

Code:

### Trying to stop <span>H</span><span>T</span><span>M</span><span>L</span>
### Not sure if working, or...

##{ EXTREME_SPAN_IN_TEXT

meta           EXTREME_SPAN_IN_TEXT   __X_SPAN_IN_TEXT && !__VIA_ML 
describe       EXTREME_SPAN_IN_TEXT   Extreme number of <SPAN> tags embedded within text
tflags         EXTREME_SPAN_IN_TEXT   publish
##} EXTREME_SPAN_IN_TEXT

meta           __X_SPAN_IN_TEXT   (__X_SPAN_BEG_TEXT > 24) && (__X_SPAN_END_TEXT > 24)

rawbody        __X_SPAN_BEG_TEXT        /[a-z]{2}<(?i:span)\s/
tflags         __X_SPAN_BEG_TEXT        multiple maxhits=25

rawbody        __X_SPAN_END_TEXT        /[^;>]<\/(?i:span)>[a-z]{3}/
tflags         __X_SPAN_END_TEXT        multiple maxhits=25

score EXTREME_SPAN_IN_TEXT              25
### Well that shit isn't even being run. :| So...

score MANY_SPAN_IN_TEXT                 10
score HTML_FONT_LOW_CONTRAST            10
Also, how / where do I find the bounced spam message template? I want to send a "550 User not found" rather than SA's "Your message is spam." Haven't seen it in the obvious places.

Any halp is greatly appreciated.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 06:40 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,