Over-aggressive SpamAssasin rules?

[ao1]

One of the newsletters I subscribe to just got tagged with an abnormally high spam score:

Code:

X-Sieve: CMU Sieve 2.3
X-Spam-score: 9.9
X-Spam-hits: BAYES_50 0.001, FORGED_RCVD_HELO 0.135, HOT_NASTY 0.157, HTML_30_40 0.374,
  HTML_MESSAGE 0.001, ME_GEOCITIES 1, ME_GEOCITIES_MANY 6,
  MIME_HTML_MOSTLY 1.102, SPF_FAIL 1.142

The culprit is " ME_GEOCITIES_MANY 6 " and it seems that it was triggered by a single line containing a link to Geocities:

Code:

<A HREF="http://www.geocities.com/ResearchTriangle/Lab/1131/eng/safe.html" TARGET="other">
http://www.geocities.com/ResearchTriangle/Lab/1131/eng/safe.html</A>

Now, why would FM assign such a high score (6) to a Geocities link? I know it is a favourite spam hosting but there are legitimate users as well.

Rob, if you're reading it, please lower that score to something reasonable or, even better, adjust the SpamAssasin rule to not trigger on two URLs within a single <A HREF>.

Thank you.

[robmueller]

It was a bunch of rules I added a while back to catch the bloody geocities "watch" spam and other related stuff that was flooding inboxes for a while and ******* people off.

Here's the complete ruleset I added. Yes, it's all pretty arbitrary, but it did the job.

Code:

uri ME_GEOCITIES /\.geocities\./i
score ME_GEOCITIES 1.00

body __ME_GEOCITIES_WATCH /\b(?:watch|tag h[uer]+\b|cart[ier]+\b|wristwatch)/i
score __ME_GEOCITIES_WATCH 0.05
body __ME_GEOCITIES_CHRONO /\b(?:chronometers?|timekeepers?)\b/i
score __ME_GEOCITIES_CHRONO 0.05
body __ME_GEOCITIES_TIMEPIECE /\b(?:time ?pieces?|masterpieces?|swiss)\b/i
score __ME_GEOCITIES_TIMEPIECE 0.05
body __ME_GEOCITIES_CHIC /\b(?:chic|stainless steel|studded diamond|classic one|precious beauties|utterly delighted|sheer elegance|elegent|fashion|opulent|vogue)\b/i
score __ME_GEOCITIES_CHIC 0.05
body __ME_GEOCITIES_APPAREL /\b(?:apparel|accoutrements|)\b/i
score __ME_GEOCITIES_APPAREL 0.05

meta __ME_GEOCITIES_WATCHTERM (__ME_GEOCITIES_WATCH*2 + __ME_GEOCITIES_CHRONO*3 + __ME_GEOCITIES_TIMEPIECE*2 + __ME_GEOCITIES_CHIC*2 + __ME_GEOCITIES_APPAREL*2) >= 3
score __ME_GEOCITIES_WATCHTERM 0.05

body __ME_GEOCITIES_PRESCRIPTIONS /\b(?:prescriptions?)\b/i
score __ME_GEOCITIES_PRESCRIPTIONS 0.05
body __ME_GEOCITIES_DRUG /\b(?:drugs?|medical|remedy|health issues?|meds)\b/i
score __ME_GEOCITIES_DRUG 0.05

meta __ME_GEOCITIES_DRUGTERM (__ME_GEOCITIES_PRESCRIPTIONS*2 + __ME_GEOCITIES_DRUG*2) >= 2
score __ME_GEOCITIES_DRUGTERM 0.05

body __ME_GEOCITIES_DISCOUNT /\b(?:discount|min costs?|cost[- ]conscious|afford it|reasonable price|less money|spending less|bargain|economical|worry.{1,15}bills)/i
score __ME_GEOCITIES_DISCOUNT 0.05
body __ME_GEOCITIES_SATISFACTION /\b(satisfaction|satisfied|money[- ]back)\b/i
score __ME_GEOCITIES_SATISFACTION 0.05
body __ME_GEOCITIES_INVENTORY /\binventory\b/i
score __ME_GEOCITIES_INVENTORY 0.05
body __ME_GEOCITIES_SAFE /\b(safe|best service)\b/i
score __ME_GEOCITIES_SAFE 0.05
body __ME_GEOCITIES_AFFORDABLE /\bafford(?:able)\b/i
score __ME_GEOCITIES_AFFORDABLE 0.05
body __ME_GEOCITIES_STORE /\bstore\b/i
score __ME_GEOCITIES_STORE 0.05
body __ME_GEOCITIES_SHIP /\b(shipped|world wide)\b/i
score __ME_GEOCITIES_SHIP 0.05

meta __ME_GEOCITIES_MONEYTERM (__ME_GEOCITIES_DISCOUNT || __ME_GEOCITIES_SATISFACTION || __ME_GEOCITIES_INVENTORY || __ME_GEOCITIES_SAFE || __ME_GEOCITIES_AFFORDABLE
 || __ME_GEOCITIES_STORE || __ME_GEOCITIES_SHIP)
score __ME_GEOCITIES_MONEYTERM 0.05

meta ME_GEOCITIES_MANY ME_GEOCITIES && (__ME_GEOCITIES_WATCHTERM || __ME_GEOCITIES_DRUGTERM) && __ME_GEOCITIES_MONEYTERM
score ME_GEOCITIES_MANY 6.0

So to hit the rule, it has to have all of

1. A geocities link in it
2. A "watch" term or a "drug" term
3. A "money" term

I wonder what was in your newsletter that triggered it?

Rob

[ao1]

Quote:

Originally posted by robmueller
It was a bunch of rules I added a while back to catch the bloody geocities "watch" spam and other related stuff that was flooding inboxes for a while and ******* people off.

Here's the complete ruleset I added. Yes, it's all pretty arbitrary, but it did the job.

Still 6.0 is a disproportinally large score.

Quote:

Originally posted by robmueller
I wonder what was in your newsletter that triggered it?[/b]

See for yourself:
http://techsupportalert.com/issues/issue142.htm

Incidently, I have rules based on individual SA tags.
It would help if you could make your SA config available so I could check the criteria for those tags.

For example, one email that I got was marked with KAM_STOCKOTC and STRONG_BUY. I could not find the actual rules for these tags anywhere on the web.

Finally, quite a lot of email that I get (spam and non-spam) is marked with FORGED_RCVD_HELO.
A quick google check produced this:
http://www.mailarchives.org/list/spa...msg/2003/00001

[robmueller]

I've reduced the score, but it should be pretty easy to add the From address of the newsletter to your address book to whitelist it as well.

Rob

[robmueller]

All the scores we use are pretty standard. Either their base SA ones, or ones from sa-update, or from the SARE repository. Any ones we add ourselves we always prefix them with ME_

Rob