Micah Anderson wrote:
> Joseph Brennan writes:
>> /Dear .{0,12}(web ?mail|columbia\.edu)/i
>> /Password.{0,10}\([\s\.\*\_]+\)/
>> /you must reply to this email/i
>> Reply-to =~ /\@live\.com/

> I'm new at writing custom rules, so I am trying to figure out the best
> way to do this. Would it be better to make a different rule for each one
> of these, or would it be better to bmake a meta-rule? My guess is its
> better to make a meta-rule, but that means that each rule must hit in
> order to get the larger score, versus some of the individual rules
> hitting and adding up to the larger score. The meta-rule seems good
> because it describes a full profile phishing email that must be met, but
> it seems bad because one tweak of the phish would result in the
> meta-rule not matching overall. I suppose this is the point of the
> arthemetic meta-rule possibility, however I'm puzzled at the best
> mechanism to choose. Any advice would be appreciated.

My thinking is lots of low scoring rules are better than one large
scoring rule. You can however combine the two techniques with metarules
whereby if 3 or more single scoring rules are met a metarule adds an
additional score just for good measure.

> Once I figure out the best way to match these, I need a good way to
> determine what I should score these, the rule-writing documentation
> suggests starting at 0.1 and then moving it up as you test it, and
> suggests extreme caution scoring a custom rule over 1, however it seems
> like these would be better scored higher than that.

That depends on how specific your rules are. Try to write rules for
phrases rather than single words. If the phish are specific to you then
it shouldn't be too difficult to write rules to specifically catch them.
If/when the phishers tweak the phish then you'll need to tweak your rules.

Look at the emails with an analytical eye - what giveaway signs tell you
that they are spam? Then try to write rules to detect what you see.

>> The first of course is partly local to us. Another useful local rule
>> is to check for the uri of your own webmail.

> Yeah, i'll make a uri rule for that and probably add that to the
> meta-rule.
> Thanks for any advice,
> micah