MONEY_FRAUD_3 rules in SpamAssassin have caused me all sorts of grief this morning so I thought I'd do a quick blog post here for Google to pick up to help anyone else who goes the same way.
The problem started when some email I was sending got scored as possible spam with a score of 2.367 thus:
As you can see it was only a bespoke rule of ours,
HUG_CLEAR2, which stopped the mail being scored 8.367 and being completely swallowed up by SpamAssassin.
HUG_CLEAR2 was added to cope with the fact that I'm sending mail with embedded images from an SMTP server on our home cable connection so with dynamic DNS and hence triggering
URIBL_BLOCKED. This particular email is also in HTML (spit!) so triggers
But this time the email had triggered three additional rules
LOTS_OF_MONEY and this caused me some problems unravelling. As you'll notice I've not hyperlinked to the appropriate document page as there isn't one for any of these in the list of rules. The only one that comes close is
In the end I ferreted about in
/usr/share/spamassassin and in
72_active.cf found the answer. The key to the riddle was
LOTS_OF_MONEY as the other two were only triggered if this was one. In turn that is actually a composite of six
Looking at the email there only one mention of money. It read:
he has raised £1,224.43 through JustGiving
Surely that wasn't enough to be regarded as "lots of money"? So I fired up my favourite perl regex tester and worked my way through them. I was suspicious of
__LOTSA_MONEY_00 but that was fine. It was
__LOTSA_MONEY_01 where I hit pay dirt. It uses this regex1:
The problem, if you can interpret that, is that it's saying you should match on a string of 7-22 numeric characters, where it defines "numeric" as "0"-"9", "O", "o", "," and ".". So even quite small values count if they use pence and commas. The solution seemed obvious: drop matching on ".".
So I added a modified rule to
Then just restarted
amavis and, ta da, all three rules disappeared from the mail and its score was now -4.29.
|Tags: linux, work||Written 28/10/14|
You can follow these posts on Twitter at @Wibblings