Re: spamassassin rules for swen? OT: mailfilter

[Naota <naota@tampabay.rr.com>]

Michael A. Miller wrote:
> > > > > > "Amal" == Amal Phadke <NOSPAM@NOSUCHHOST.hydrodyn.org> writes:
>
>
>     > I am currently using combination of Spamassassin and access
>     > control via /etc/mail/access (I use sendmail) with good
>     > success. Now "MS Patches" are down to one or two per
>     > day. Before I used to get about 80 or more in a day.
>
> What spamassassin rules are you using for swen?  After googling
> for a while, I assembled the following rules that seem to work
> pretty well.  But I wonder if there is something more elegant
> that I could do.  For example, I expect this message to get
> scored high when spamassassin sees the body ;-)
>
> Mike
>
>
> score MICROSOFT_EXECUTABLE +5
>
> body  SWENVIRUS          /allow an malicious user to run code on your computer/
> score SWENVIRUS          +5.5
>
> body  SWENVIRUS2         /Microsoft C.*mer/i
> score SWENVIRUS2         +2
>
> body  SWENVIRUS3         /You don't need to do anything after installing this item/i
> score SWENVIRUS3         +2
>
> header SWENHEADER        Subject =~ /Microsoft Critical/i
> score  SWENHEADER        +2
>
> header SWENHEADER2       Subject =~ /New Microsoft Security Update/i
> score  SWENHEADER2       +2
For mailfilter, I block all of the swen shit by doing

DENY<>^(To|Cc):.*(name1|name2|name3)@tampabay\.rr\.com

Be sure to have this somewhere in the .mailfilterrc file, also:

REG_TYPE = extended

Yeah, the default is REG_TYPE = basic.
I noticed that the swen doesn't tend to send directly to me, so that 
rule above helps alot.  Just to make sure though, I DENY things like MS 
Micrisoft, alert, error advice, etc.

Cheers.