5x12 pentomino tiling
«

ADVANCE_FEE_2_NEW_MONEY ...

»

... and MONEY_FRAUD_3 rules in SpamAssassin have caused me all sorts of grief this morning so I thought I'd do a quick blog post here for Google to pick up to help anyone else who goes the same way.

The problem started when some email I was sending got scored as possible spam with a score of 2.367 thus:

X-Spam-Status: Yes, score=2.367 tagged_above=-999 required=2 tests=[ADVANCE_FEE_2_NEW_MONEY=2.257, DYN_RDNS_AND_INLINE_IMAGE=1.344, HTML_MESSAGE=0.001, HUG_CLEAR2=-6, LOTS_OF_MONEY=0.001, MONEY_FRAUD_3=4.399, RCVD_IN_SORBS_DUL=0.001, RDNS_DYNAMIC=0.363, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no

As you can see it was only a bespoke rule of ours, HUG_CLEAR2, which stopped the mail being scored 8.367 and being completely swallowed up by SpamAssassin. HUG_CLEAR2 was added to cope with the fact that I'm sending mail with embedded images from an SMTP server on our home cable connection so with dynamic DNS and hence triggering DYN_RDNS_AND_INLINE_IMAGE, RCVD_IN_SORBS_DUL and URIBL_BLOCKED. This particular email is also in HTML (spit!) so triggers HTML_MESSAGE.

But this time the email had triggered three additional rules ADVANCE_FEE_2_NEW_MONEY, MONEY_FRAUD_3 and LOTS_OF_MONEY and this caused me some problems unravelling. As you'll notice I've not hyperlinked to the appropriate document page as there isn't one for any of these in the list of rules. The only one that comes close is ADVANCE_FEE_2.

In the end I ferreted about in /usr/share/spamassassin and in 72_active.cf found the answer. The key to the riddle was LOTS_OF_MONEY as the other two were only triggered if this was one. In turn that is actually a composite of six replace_rules named __LOTSA_MONEY_00 through __LOTSA_MONEY_05.

Looking at the email there only one mention of money. It read:

he has raised £1,224.43 through JustGiving

Surely that wasn't enough to be regarded as "lots of money"? So I fired up my favourite perl regex tester and worked my way through them. I was suspicious of __LOTSA_MONEY_00 but that was fine. It was __LOTSA_MONEY_01 where I hit pay dirt. It uses this regex1:

/(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?\d[\d.,\sOo]{5,20}[\dOo](?<!\.00)/

The problem, if you can interpret that, is that it's saying you should match on a string of 7-22 numeric characters, where it defines "numeric" as "0"-"9", "O", "o", "," and ".". So even quite small values count if they use pence and commas. The solution seemed obvious: drop matching on ".".

So I added a modified rule to /etc/spamassassin/local.cf thus:

body __LOTSA_MONEY_01 /(?:(?i:sum\sof\s)[\(\[]?|<CURRENCY>\s?)[\s\.]?\d[\d,\sOo]{5,20}[\dOo](?<!\.00)/

Then just restarted amavis and, ta da, all three rules disappeared from the mail and its score was now -4.29.

  1. Another regex defines <CURRENCY> so that it matches with £.

Tags: linux, work Written 28/10/14

Comment on this article

«
You can follow these posts on Twitter at @Wibblings
»
I am currently reading:

A Quite Impossible Proposal: How Not to Build a Railway by Andrew Drummond Snuff by Terry Pratchett

(?)
Word of the Day:
defunctive