Tue May 25 05:58:51 PST 2004 -- masscheck.27.sh -- beginning test of 70_sare_highrisk.cf Section 1 -- Emails flagged as spam Spam identified as spam by these rules: 0 of 67434 Ham identified as spam by these rules: 0 of 22007 Section 2 -- Rules tested # SARE High Risk Ruleset for SpamAssassin # Version: 00.01.00 # Created: 2004-05-19 # Modified: 2004-05-19 # Changes: Created new rule set with high risk rule from spoof.cf # License: Artistic - see http://www.rulesemporium.com/license.txt # Current Maintainer: Bob Menschel - highrisk@rulesemporium.com # Current Home: http://www.rulesemporium.com/rules/70_sare_highrisk.cf # # This rule set is reserved for rules that seem to be very promising, # but which have a very high risk of false positives. Only the most # aggressive sites which actively scan for false positives should use # these rules. ########################################################################### # Generic tests used to identify potential ham ########################################################################### header __SARE_EXIST_XAPPTO exists:X-Apparently-To header __SARE_EXIST_XORIGIP exists:X-Originating-IP header __SARE_EXIST_XSNDR exists:X-Sender header __SARE_PREC_BULK Precedence =~ m'bulk' ########################################################################### # Tests specific to Yahoo Groups mailing lists ########################################################################### header __SARE_EXIST_XYPROF exists:X-Yahoo-Profile header __SARE_EXIST_YGRMTIP exists:X-eGroups-Remote-IP header __SARE_YG_MAILLIST Mailing-List =~ m'list (\w+)\@yahoogroups\.com; contact \1-owner\@yahoogroups\.com' header __SARE_YG_MSGID Message-ID =~ m'<.{10,}\@eGroups\.com>' header __SARE_YG_UAGENT User-Agent =~ m'eGroups' header __SARE_YG_UNSUB List-Unsubscribe =~ m'' header __SARE_YG_XEGRTN X-eGroups-Return =~ m'\@returns.groups.yahoo.com' header __SARE_YG_XMAILER X-Mailer =~ m'Yahoo Groups Message Poster' ########################################################################### # SARE_HIRISK_FORGED_ATT ########################################################################### # This rule is like the spoof records found in SARE's spoof.cf rule set, # except that emails which match this rule do not claim to be from a specific # company (eg: PayPal or Ebay), but instead claim to be from some individual # ISP user within the AT&T domain. # Since such users can easily send emails through Yahoo Groups webmail interfaces # and similar systems, we cannot be state that emails from the AT&T domains must # come from some AT&T computer system. # We attempt here to exclude the known webmail and similar sources such emails # could come from, but we're confident we have not been able to list them all. header __SARE_HIRISK_FROM_ATT From =~ /\@(?:(?:worldnet|broadband|aetrs\.cmd)\.)?att.(?:net|com)/i header __SARE_HIRISK_ATT_MSGI MESSAGEID =~ /att\.(?:com|net)/ header __SARE_HIRISK_ATT_RCVD Received =~ /att\.(?:net|com)/ header __SARE_HIRISK_ATT_RTN Return-path =~ /att\.(?:net|com)\>/ header __SARE_HIRISK_FROM_AT2 From =~ /\@(?:att[-._].*|.*[-._]att\..*)(?:com|net)/i meta SARE_HIRISK_FORGED_ATT ( __SARE_HIRISK_FROM_AT2 && !__SARE_HIRISK_ATT_RCVD && !__SARE_HIRISK_ATT_MSGI && !__SARE_HIRISK_ATT_RTN && !__SARE_EXIST_XAPPTO && !__SARE_EXIST_XORIGIP && !__SARE_EXIST_XSNDR && !__SARE_PREC_BULK && !__SARE_EXIST_XYPROF && !__SARE_EXIST_YGRMTIP && !__SARE_YG_MAILLIST && !__SARE_YG_MSGID && !__SARE_YG_UAGENT && !__SARE_YG_UNSUB && !__SARE_YG_XEGRTN && !__SARE_YG_XMAILER ) score SARE_HIRISK_FORGED_ATT 1.088 #counts SARE_HIRISK_FORGED_ATT 192s/1h of 93110 corpus (71306s/21804h) 05/20/04 #hist SARE_HIRISK_FORGED_ATT Enhanced by Bob Menschel May 20 2004 to avoid many Yahoo Groups ham hits #ham SARE_HIRISK_FORGED_ATT Hits emails sent by online feedback email forms that send "from" correspondant but on recipient's domain #note SARE_HIRISK_FORGED_ATT Those with such email forms within their domain should add rule to apply negative score to such emails. Section 3 -- Frequencies Log (First numeric frequencies, followed by percentage frequencies) OVERALL SPAM HAM S/O SCORE NAME 89441 67434 22007 0.754 0.00 0.00 (all messages) 165 164 1 0.982 0.00 1.09 SARE_HIRISK_FORGED_ATT OVERALL% SPAM% HAM% S/O RANK SCORE NAME 89441 67434 22007 0.754 0.00 0.00 (all messages) 100.000 75.3950 24.6050 0.754 0.00 0.00 (all messages as %) 0.184 0.2432 0.0045 0.982 0.00 1.09 SARE_HIRISK_FORGED_ATT Section 4 -- Recommended Scores and Hit Log Required Hits = 5 #counts SARE_HIRISK_FORGED_ATT 164s/1h of 89441 corpus (67434s/22007h) 05/25/04 SARE_HIRISK_FORGED_ATT -- suggested score: 1.011 (of 5) Ham Matches: Tue May 25 06:40:30 PST 2004 -- masscheck.27.sh -- completed test of 70_sare_highrisk.cf