[Mimedefang] Fw: [Sare-users] Spam with numbers in subj and body

[Jan-Pieter Cornet]

On Wed, Jun 07, 2006 at 12:02:36PM -0400, Kevin A. McGrail wrote:
> >>body            __KAM_NUMBER2   /\d{1,6}/
> >
> >Same here: a wildcard at the end isn't useful, your match isn't
> 
> I still haven't received enough of the emails to further check but I 
> believe the rule as it stands *in combination* with the other rules is 
> adequate as-is.

Maybe, but that says more about the other rules, especially the
numeric-only subject is pretty limiting.

That __KAM_NUMBER2 test is identical to: "body NAME /\d/", or
it matches every mail that contains a number in the body. Now I'm
obviously in the wrong domain to perform a good test on that, but
just as an example I took the archives of this mailinglist as far
as I had it online, and I found 7881 matching messages out of
8860 (89%), while in some pseudo-random sampling of spam I have
here, it's 4678 messages out of 5112 (91.5%).

You can't really compare those numbers further because the list
archive goes back a lot further than the spam archive, but even
then... the numbers above already show that this test, in itself,
has an extremely high FP ratio. This test is not adding anything
decisive to your tests.

-- 
Jan-Pieter Cornet <johnpc at xs4all.nl>
!! Disc lamer: The addressee of this email is not the intended recipient. !!
!! This is only a test of the echelon and data retention systems. Please  !!
!! archive this message indefinitely to allow verification of the logs.   !!