procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Spam filter anomaly

2005-08-31 13:18:00
from [Professional Software Engineering] [Permanent Link] 
At 15:04 2005-08-31 -0400, Louis Proyect wrote:

2. The recipes that are meant to catch anything with "st0ck" or "St0ck", a
dead giveaway for Penny Stock newsletters that 9 out of 10 times are hypeing
non-existent companies!



:0 B
* Penny-stocks
/dev/null

:0 B
* Penny stocks
/dev/null

combine these two:

:0B
* Penny[        -]stocks
/dev/null

I would strongly recommend against scuttling directly to /dev/null though, 
and you could simply use \> instead of the character class between the 
words, which will increase the word separators used

:0 B
* st0ck
/dev/null

:0 B
* St0ck
/dev/null

You're using case-sensitivity when it isn't appropriate - Procmail is by 
default case insensitive (check the manpages).  As such, these two recipes 
evaluate the same.

Combine all three:

:0B
* (Penny[       -]stocks|st0ck)
/dev/null


3. A sample spam that was not caught by the filter.


Is it the original message untweaked, or did it perhaps have ENCODING?


4. The procmail output generated for the spam with verbose on. You'll note
that it didn't find a match on "st0ck" when it is clearly evident.


But is that "clearly evident AFTER the message was tweaked by your 
windows-based email client and posted into a webdoc?  The RAW message is no 
doubt significantly different.

I trust you're filtering this list *BEFORE* your stock filters, because 
with all those /dev/null deliveries, you're just begging to trash all the 
responses people send.


5. What is truly bizarre is the procmail output I get when I simply forward
the same message to myself. When I do this, it is caught by the filter. I
can't understand how this is possible.


Because your email client has unencoded the message from it's originally 
encoded form and posted it as plain ascii text.  Examine the ORIGINAL 
message in your mailbox before downloading it.

---
  Sean B. Straw / Professional Software Engineering

  Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
  Please DO NOT carbon me on list replies.  I'll get my copy from the list.


____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Spam filter anomaly, Dallman Ross
Next by Date:  Re: Problems with Procmail and Quotas when using Maildir, Dallman Ross
Previous by Thread:  Re: Spam filter anomaly, Dallman Ross
Next by Thread:  Re: Problems with Procmail and Quotas when using Maildir, Dallman Ross
Indexes:  [Date] [Thread] [Top] [All Lists]