Re: spam recipe - need help understanding a false positive

Your recipe is broken.  The problem is how you're using the OR bar.
The condition:

* ^Subject:.*SEX|FREE SEX|LESBIANS| XXX |HARDCORE|GAY

will match anything that has /^Subject:.*SEX/, or anything with /GAY/
or anything with /HARDCORE/, etc.  And sure enough, if you look at the
"smime.p7s" attachment which is base64-encoded, the 13th line matches
with "..owGAYDV..".

Try being a little more specific with your condition, like:

* ^Subject:.*((FREE )?SEX|LESBIANS| XXX |HARDCORE|GAY)

For additional fodder, http://www.it.ca/software/procmail-spamtrap has
everything I'm using to filter inbound mail.


On Sat, Nov 17, 2001 at 11:56:53PM -0500, Louis LeBlanc wrote:
> Hey. Kinda feel wierd  putting this up, but I guess  this is the place
> for it.
>
> I've been  tweaking my own spam  recipes lately, and I  have one false
> positive I  can't explain. Thought  someone else here might  have some
> ideas. I've even  tried egrepping the keys from the  crypt sig, but no
> hits.  I need to understand this so I can improve the recipe.
>
> Here is the recipe that caused the false positive:
> #####################################
> :0DBHfhw
> * ^Subject:.*SEX|FREE SEX|LESBIANS| XXX |HARDCORE|GAY
> | formail -Y -f -A "X-Spammer: Porn crap"
> :0A
> { FOLDER=spam }
> #####################################
>
> Here is the log info:
>
> #####################################
> procmail: [57745] Fri Nov 16 10:26:15 2001
> procmail: Assigning "JFDIR=/usr/local/etc/junkfilter"
> procmail: Assigning "PMDIR=/usr/local/etc/junkfilter"
> procmail: Assigning "LOGABSTRACT=all"
> procmail: Assigning "INCLUDERC=/etc/myspamkillrc"
> procmail: No match on "^Subject:.*ADV.*"
> procmail: No match on "^X-Advertisement:.*"
> procmail: No match on "To:.*undisclosed"
> procmail: No match on "^From:.*XXX"
> procmail: No match on ! "^From:.*"
> procmail: No match on "Content-Type: text/html"
> procmail: Match on ! "^Subject:.*spam.*"
> procmail: No match on "To be removed.*(excite|aol|yahoo|netscape|juno|
>  china)|university diploma|university degree|one time mailing|
>  no need to.*remove|charset=.*ks_c_5601-1987|MONEY BACK GUARANTEE|
>  To be removed f(ro|or)m our (email list|mailings)|REMOVE on the subject|
>  cannot be considered spam|POSTMASTERDIRECT|
>  our records show that you have requested|your address has been registered|
>  click.here.*to.be.removed|Attention Site Administrators|
>  LEGALLY ORDAINED MINISTER|ARE YOU TIRED OF MAKING YOUR BOSS RICH|
>  SEND.* BULK E-MAIL LEGALLY|1-206-222-2829|service offering|
>  This message is an advertisement|Does this headline look familiar|
>  http://[0-9][0-9][0-9][0-9]|www.removeyou.com|
>  mailto.*Remove Me From Your List|explosivetraffic|mysprintfast|
>  bill.*301.*1618.*remove|charset=euc-kr|bill.*S.1618|Bill HR 1910|
>  Free Shopping Spree|Win \$|permanently remove|NO STRINGS attached|
>  Fast Cash|OptinGlobal|from future mailings|up30CREDIT CARD PROCESSING|
>  Credit Problems|you accept credit cards|ABSOLUTELY FREE|
>  to be excluded from further communication|FREE SHIPPING|
>  wholesale liquidators|ORDER VIAGRA ONLINE|excess (pounds|weight)|
>  weight loss secret|(melt|melts) away (pounds|inches)|Learn English|
>  HOME *EMPLOYMENT"
> procmail: Match on "^Subject:.*SEX|FREE SEX|LESBIANS|XXX|HARDCORE|GAY"
> procmail: Executing "formail,-Y,-f,-A,X-Spammer: Porn crap"
> procmail: Assigning "FOLDER=spam"
> procmail: No match on "pictures of me and my sexy friends|eroasia"
> procmail: Assigning "INCLUDERC=/home/leblanc/.procmailrc"
> procmail: Match on ! "trash"
> procmail: No match on ! "spam"
> procmail: Match on ! "trash"
> procmail: No match on ! "spam"
> procmail: Match on "."
> procmail: Executing "deliver,-q,-m,spam,--,leblanc"
> procmail: Assigning "LASTFOLDER=deliver -q -m spam -- leblanc"
>  Subject: Re: indexing createTimestamp
>   Folder: deliver -q -m spam -- leblanc                           7439
> #####################################
>
> And hopefully, you will find the entire message attached.
>
> I am at a loss, because it looks like the message has some kind of
> pornographic reference, but I am unable to find it.
>
> Any help is appreciated
> Lou
> -- 
> Louis LeBlanc               leblanc(_at_)keyslapper(_dot_)org
> Fully Funded Hobbyist, KeySlapper Extrordinaire :)
> http://www.keyslapper.org                     Ô¿Ô¬
>
> This is the first age that's  paid much attention to the future, which
> is a little ironic since we may not have one.
>     -- Arthur Clarke
> Date: Fri, 16 Nov 2001 16:21:12 +0100
> From: Kuba Leszewski <k(_dot_)leszewski(_at_)ce3(_dot_)pl>
> Subject: Re: indexing createTimestamp
> To: John Morrissey <jwm(_at_)horde(_dot_)net>
> Cc: openldap-software(_at_)OpenLDAP(_dot_)org
>
> John Morrissey wrote:
>
> > Is it possible to index the createTimestamp attribute? When I try to put an
> > equality index on that attribute, slapd complains:
> >
> > Starting slapd: /etc/openldap/slapd.conf: line 55: equality index of
> > attribute "createTimestamp" disallowed
> Check teh schema file,
> find the createTimestamp attribute
> and see what indexes are allowed/disallowed
>
> It should be somewhere there
>
> > thanks,
> > john
> Kuba
>
> >



-- 
  Paul Chvostek                                             
<paul(_at_)it(_dot_)ca>
  Operations / Development / Abuse / Whatever       vox: +1 416 598-0000
  IT Canada                                            http://www.it.ca/

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail