Mailing List Archive

> warning: rule 'LOCAL_DRUGS_MALEDYSFUNCTION' is over 22 chars
>
>
> I'm assuming that everything else loaded up right, and my scores seem
> to be comparable in general on first glance. Also, there seems to be a
> speed improvement on spamd noticeable.
>
> That's it. Just thought it was interesting, and everybody writing or
> describing rules might want to parse their sets to make sure they fall
> within the boundaries of 50 or 22 characters that seem to be more
> mandatory.

Hmmm. Do you think this rule is more than 22 characters?
header LOCAL_OBFU_ONLY_PRSCRPTN_SUBJ Subject =~
/(?!\bprescription\b)(?:\bp|\B(?:[ý]|\xCE\xA1|\xCF\x81|\xD0\xA0|\xD1\x80))[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]{0,2}(?:[rý]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]{0,2}(?:[e3\*ý-ýý-ý]|\xC4[\x92-\x9B]|\xCE\x88|\xCE\x95|\xCE\xA3|\xCE\xAD|\xCE\xB5|\xD0\x81|\xD0\x95|\xD0\xB5|\xD1\x91)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]{0,2}(?:[s5\$ý]|\xC5[\x9A-\xA1]|\xD0\x85|\xD1\x95|\xD5\x8F)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]{0,2}(?:[c\*ýýýý]|\xC4[\x86-\x8D]|\xD0\xA1|\xD1\x81)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]{0,2}(?:[rý]|\xC5[\x94-\x99]|\xD1\x93)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]{0,2}(?:[il1:\|\*ý-ýý-ýý]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]{0,2}(?:[pý]|\xCE\xA1|\xCF\x81|\xD0\xA0|\xD1\x80)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]{0,2}(?:[t\+]|\xC5[\xA2-\xA7]|\xCE\xA4|\xCF\x84|\xD0\xA2|\xD1\x82)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]{0,2}(?:[il1:\|\*ý-ýý-ýý]|\xC4[\xA8-\xB0]|\xC4\xBA|\xC4\xBC|\xC4\xBE|\xC5\x80|\xC5\x82|\xC7[\x8F-\x90]|\xD0[\x86-\x87]|\xD1[\x96-\x97]|\xCE\x8A|\xCE\x90|\xCE\x99|\xCE\xAA|\xCE\xAF|\xCE\xB9|\xCF\x8A)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]{0,2}(?:[o0\*ýýýýý-ýý-ý]|\(\)|\[\]|\xC5[\x8C-\x91]|\xC6[\xA0-\xA1]|\xC7[\x91-\x92]|\xC7[\xBE-\xBF]|\xCE\x8C|\xCE\x98|\xCE\x9F|\xCE\xB8|\xCE\xBF|\xCF\x8C|\xD0\x9E|\xD0\xBE|\xD5\x95)[\x01-\x2F\\\^_`\|\x7F-\xA1\xA4-\xA8\xAB-\xAD\xAF-\xB1\xB4\xB7-\xBB\xBF\xF7]{0,2}(?:n\b|(?:[ýý]|\|\\\||\xC5[\x83-\x8B]|\xCE\x9D|\xCE\xA0|\xCE\xAE|\xCE\xB7|\xD5\xB2|\xD5\xB8)\B)/i



--
Chris Thielen

Easily generate SpamAssassin rules to catch obfuscated spam phrases
(0BFU$C/\TED SPA/\/\ P|-|RA$ES):
http://www.sandgnat.com/cmos/

THANK YOU!!!!

I think the 22 char is for rule name. Hmmm.....I'm glad we got this info
before we finished this next update! Very interesting......

--Chris

> -----Original Message-----
> From: Ben Hanson [mailto:ben@transprintusa.com]
> Sent: Friday, March 05, 2004 1:35 PM
> To: spamassassin-users@incubator.apache.org
> Subject: SpamAssassin 3.0 notes
>
>
> Here's an interesting note in advance for all the rule
> creators reading
> the list. I decided to test out the new 3.0 cvs code to see
> if it would
> behave on a test server I'm working on. In addition to
> requiring some
> basic configuration options being renamed or set up a bit
> differently, I
> discovered that when I lint my ruleset I get a massively long list of
> warning messages. most of them read like:
>
> warning: description for FVGT_s_OBFU_V is over 50 chars
> warning: description for T_RATWARE_OOPS_11 is over 50 chars
>
> or
>
> warning: score set for non-existent rule RCVD_IN_EFIVETEN
>
> or
>
> warning: rule 'LOCAL_DRUGS_MALEDYSFUNCTION' is over 22 chars
>
>
> I'm assuming that everything else loaded up right, and my
> scores seem
> to be comparable in general on first glance. Also, there
> seems to be a
> speed improvement on spamd noticeable.
>
> That's it. Just thought it was interesting, and everybody writing or
> describing rules might want to parse their sets to make sure
> they fall
> within the boundaries of 50 or 22 characters that seem to be
> more mandatory.
> Ben
>

On Fri, Mar 05, 2004 at 01:53:51PM -0500, Chris Santerre wrote:
> I think the 22 char is for rule name. Hmmm.....I'm glad we got this info
> before we finished this next update! Very interesting......

Yeah. It's 22 for rule name, 50 for description. The convention lengths
have been documented in 2.6x (look in the M::SA::Conf pod, "score" and
"describe"), but in 3.0, as reported, --lint will tell you if there are
rules that don't match.

--
Randomly Generated Tagline:
The random quantum fluctuations of my brain are historical accidents that
happen to have decided that the concepts of dynamic scoping and lexical
scoping are orthogonal and should remain that way.
-- Larry Wall in <199709021854.LAA12794@wall.org>

Theo Van Dinter <felicity@kluge.net> writes:

> Yeah. It's 22 for rule name, 50 for description. The convention lengths
> have been documented in 2.6x (look in the M::SA::Conf pod, "score" and
> "describe"), but in 3.0, as reported, --lint will tell you if there are
> rules that don't match.

Yes, note that 22+50=72, leaving 7 characters for scores and spacing to
fit everything on an 80 column MUA.

Daniel

--
Daniel Quinlan anti-spam (SpamAssassin), Linux,
http://www.pathname.com/~quinlan/ and open source consulting

From: "Chris Thielen" <cmt-spamassassin@someone.dhs.org>

> > warning: rule 'LOCAL_DRUGS_MALEDYSFUNCTION' is over 22 chars
> >
> >
> > I'm assuming that everything else loaded up right, and my scores seem
> > to be comparable in general on first glance. Also, there seems to be a
> > speed improvement on spamd noticeable.
> >
> > That's it. Just thought it was interesting, and everybody writing or
> > describing rules might want to parse their sets to make sure they fall
> > within the boundaries of 50 or 22 characters that seem to be more
> > mandatory.
>
> Hmmm. Do you think this rule is more than 22 characters?
> header LOCAL_OBFU_ONLY_PRSCRPTN_SUBJ Subject =~
Yes 1234567890123456789012 oops
> /(?!\bprescription\b)(?:\bp|\B(?:[ý]|\xCE\xA1|\xCF\x81|\xD0\xA0|\xD1\x80))

Regardless of the rest of the line the name is even over 22 characters.
If there is a limitation in 3.0 along that line it would be "nice" to
remove it unless there is a VERY exceptionally good reason for it.

{^_-}