On Thu, 2021-06-17 at 17:10 -0700, Loren Wilton wrote: > A number of the rules I passed along are generic "order" rules rather
> than Amazon specific. I had to go back to last month's spam to find an
> Amazon order spam, but I've gotten a dozen or so fake orders for other
> things this month, all of which hit on the LW_BOGUS_ORDER rule.
I'm not at all surprised about that: several years back when I was on
the Wine mailing list I was getting a lot of sales spam from it.
Unsurprising: Wine uses a combined web forum and mailing list where
emails get posted to the web forum and vice versa, and if almost anybody
can join the web forum, then the mailing list will be rather spammy.
Anyway, I ended up developing a number of rules to deal with this:
typically they are sets of two or more subrules plus a linking meta-
rule. Both subrules are long lists of alternates, one containing, say
'sales phrases' (including miss-spellings, odd word order and
obfuscations) and the other containing product names and descriptions.
Other pairings that work have been bank names and financial terms where
the sender's address doesn't match the Message ID, endearments combined
with sex terms, or web commerce sites and invoices.
The good thing about rules like this is, as Loren also found, that they
will quite often correctly match spam from sources or containing phrase
combinations you've never seen before. Their only disadvantage is
maintaining them: a lengthy alternates list is difficult to maintain
with the usual text editors, so I ended up writing a reformatting tool
which takes a file containing rule names, scores, descriptions etc, and
with the elements in each list of regex alternates on separate line.
This makes for a file that's easy to edit, and is fairly easy to convert
into the small set of lines that define a valid SA rule.
I wrote my converter as an awk script, but it can be written in almost
any language, e.g. C, Java, Perl or even (if you must) BASIC or
PS: I realise many list regulars have seen all this stuff before, but
there are a number of new arrivals who won't have seen it and may find
it useful and/or get new ideas from it.