>I had several false positives today based on the BAD_X_HEADERS rule. I'm
>using the rules from Chris' site (Nov02). The legitimate emails had an
>"X-URL" header. All of the FPs where from a single mailing list. For what
>ever reason, they are providing a valid link to some content within this
>
L PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [SAtalk] [RD] simple rule for consumption
>Nope these are bogus. I have seperate rules for them in the last Rule
>Emporeum update. I used seperate, as they often are seen in pairs. Although
>I didn't tag X-Email, because I'm not sure about
> -Original Message-
> From: Regis Wilson [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 22, 2003 1:14 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: RE: [SAtalk] [RD] simple rule for consumption
*snip*
>
> Writing rules is
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris
Santerre
Sent: Wednesday, October 22, 2003 8:21 AM
To: 'Regis Wilson'; [EMAIL PROTECTED]
Subject: RE: [SAtalk] [RD] simple rule for consumption
Nope these are bogus. I have seperate rule
>Nope these are bogus. I have seperate rules for them in the last Rule
>Emporeum update. I used seperate, as they often are seen in pairs. Although
>I didn't tag X-Email, because I'm not sure about that one.
>
X-Email: is pretty spammy for me, so it is in there. I grepped my corpus for
X-headers
n [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 21, 2003 2:58 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] [RD] simple rule for consumption
>
>
> Recently had some false negatives come through. Most of them
> are one sentence
> saying hello, and a URL. I noticed some stran
Recently had some false negatives come through. Most of them are one sentence
saying hello, and a URL. I noticed some strange headers, listed here:
X-E:
X-I:
X-ENVID
X-Email
So I wrote a quickie rule and it catches about 126 spam per week.
header BAD_HEADERS ALL =~ /X-(?:E|Email|E
