how to wirte this kind of mcp rule

Dhawal Doshy dhawal at netmagicsolutions.com
Sun Jul 23 21:43:26 IST 2006 

Quoting Julian Field <MailScanner at ecs.soton.ac.uk>:

>
> On Sun23 Jul 06, at 15:31, ankush grover wrote:
>
>> On 7/23/06, Julian Field <MailScanner at ecs.soton.ac.uk> wrote:
>>>
>>> On Sun23 Jul 06, at 12:42, ankush grover wrote:
>>>
>>>> hey friends,
>>>>
>>>> I am using Postfix with MailScanner. For last 2 or 3 days I am
>>>> receiving lot of Spam a particular spam header or subject is
>>>> "VlzAGRA". This word is not alone in the header or subject there are
>>>> other words with it like "Re: efasfd VlzAGRA" it is become difficult
>>>> to add every subject coming with " VlzAGRA" to mcp list. How do I
>>>> write a mcp rule in such a way if there is a subject which contains
>>>> "VlzAGRA"   it should be marked as spam.
>>>>
>>>> I have written below rules but still I am getting the mails with
>>>> subject  "VlzAGRA" or "Re: VlzAGRA" in it.
>>>>
>>>> header   RULE26         Subject =~ /VlzAGRA/i
>>>> describe RULE26         Banned Subject
>>>> score    RULE26         10
>>>>
>>>> header   RULE27         Subject =~ /Re:zakeg VlzAGRA/i
>>>> describe RULE27         Banned Subject
>>>> score    RULE27         10
>>>>
>>>
>>> header RULE28   Subject =~ /VisAGRA/
>>>
>>> is all you need.
>>>
>> hey,
>>
>> Thanks for the reply. But if the subject is "Re:epykg VIzAGRA" then it
>> is not getting banned.
>>
>> What you have told me is already there in my rules set and I had only
>> put "i" at the end to make it case insensitive.
>>
>> What I want to know is how to stop any mail if the mail contains
>> "VIzAGRA" as one of the words in the subject ?
>
> You still need to add the "describe" and "score" lines as well, for it
> to be recognised and used by SpamAssassin. Give it a large score (e.g.
> 1000) and make sure your High Scoring Spam Actions include "delete" so
> that it gets removed by MailScanner.
>
> Sorry if that lot wasn't clear in my previous email, I didn't write the
> message very well :-(

just fyi, a similar mail hit the following rules at my site.. most  
rules are stock spamassasin 3.1.3 (afaik). Looks like you could  
benefit a lot from network tests.

4.00	BAYES_99	Bayesian spam probability is 99 to 100%
0.77	DIGEST_MULTIPLE	Message hits more than one network digest check
0.14	FORGED_RCVD_HELO	Received: contains a forged HELO
0.00	HTML_MESSAGE	HTML included in message
0.50	RAZOR2_CF_RANGE_51_100	Razor2 gives confidence level above 50%
1.50	RAZOR2_CF_RANGE_E8_51_100	Razor2 gives engine 8 confidence level  
above 50%
0.50	RAZOR2_CHECK	Listed in Razor2 (http://razor.sf.net/)
2.05	RCVD_IN_SORBS_DUL	SORBS: sent directly from dynamic IP address
1.46	RCVD_IN_SORBS_WEB	SORBS: sender is a abuseable web server
3.00	URIBL_BLACK	Contains an URL listed in the URIBL blacklist
1.64	URIBL_SBL	Contains an URL listed in the SBL blocklist
2.14	URIBL_WS_SURBL	Contains an URL listed in the WS SURBL blocklist

- dhawal

> --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store !
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> MailScanner thanks transtec Computers for their support.
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list