Re: [SAtalk] Misc. rule ideas

2002-03-12 Thread Kerry Nice
Yeah, kerry_nice is part of [EMAIL PROTECTED] Whatever company that does these particular spams, they only address it To: [EMAIL PROTECTED], I'm the only recipient, and the subject is something like 'hello kerry_nice, get free stuff'. This one you can match the to and the subject, because gettin

Re: [SAtalk] Misc. rule ideas

2002-03-11 Thread Greg Ward
On 09 March 2002, Kerry Nice said: > #this one will only work for me, but if it there, it > is 100% GUARANTEED to be spam > #not sure how to make a general case for this > header KERRYSUBJECT Subject =~ /kerry_nice/ > describe KERRYSUBJECT Personalized subject for > Kerry based on email

Re: [SAtalk] Misc. rule ideas

2002-03-10 Thread Kerry Nice
For these particular customizations, the To: and the Subject will have the same name, with my address being the only one in the To and no CC addresses. These are the only two variations I find in my spam archive for these: To: [EMAIL PROTECTED] Subject: Hello, kerry_nice Absolutely Free Web-Ca

Re: [SAtalk] Misc. rule ideas

2002-03-09 Thread Matthew Cline
On Saturday 09 March 2002 09:39 pm, Rob McMillin wrote: > Kerry Nice wrote: > >#this one will only work for me, but if it there, it > >is 100% GUARANTEED to be spam > >#not sure how to make a general case for this > >header KERRYSUBJECT Subject =~ /kerry_nice/ > >describe KERRYSUBJECT

Re: [SAtalk] Misc. rule ideas

2002-03-09 Thread Rob McMillin
Kerry Nice wrote: >Here are some rules I added to my local.cf that seem >to be catching a few things. > >#Seems to be a broken bulk mail program that puts some >of the headers in the email body >rawbody MESSAGEIDINBODY /^Message-Id: ><.*\@message-Id>$/ >describe MESSAGEIDINBODY Distictive Mess

Re: [SAtalk] Misc. rule ideas

2002-03-09 Thread Kerry Nice
Here are some rules I added to my local.cf that seem to be catching a few things. #Seems to be a broken bulk mail program that puts some of the headers in the email body rawbody MESSAGEIDINBODY /^Message-Id: <.*\@message-Id>$/ describe MESSAGEIDINBODY Distictive Message ID in email body score

Re: [SAtalk] Misc. rule ideas

2002-03-08 Thread Bart Schaefer
On Thu, 7 Mar 2002, Matthew Cline wrote: > And now a bunch of spam matching rules: > > body READ_TO_END/read this (?:e-?mail )?to the end/i > describe READ_TO_ENDYou'd better read all of this spam! I see a lot of slight variation on It is important that you read t

Re: [SAtalk] Misc. rule ideas

2002-03-08 Thread Matt Sergeant
On Fri, 8 Mar 2002, David G. Andersen wrote: > Matthew Cline just mooed: > > First a few rules to match non-spam: > > > > body SIGNATURE_DELIM/^-- $/ > > describe SIGNATURE_DELIMStandard signature delimiter present > > > > While there would be no effort in faking this, it

Re: [SAtalk] Misc. rule ideas

2002-03-08 Thread Matthew Cline
On Friday 08 March 2002 12:42 am, Rob McMillin wrote: > Matthew Cline wrote: > >First a few rules to match non-spam: > > > > body SIGNATURE_DELIM/^-- $/ > > describe SIGNATURE_DELIMStandard signature delimiter present > > > >While there would be no effort in faking this, it m

Re: [SAtalk] Misc. rule ideas

2002-03-08 Thread David G. Andersen
Matthew Cline just mooed: > First a few rules to match non-spam: > > body SIGNATURE_DELIM/^-- $/ > describe SIGNATURE_DELIMStandard signature delimiter present > > While there would be no effort in faking this, it might take a while for some of the >spammers to catch o

Re: [SAtalk] Misc. rule ideas

2002-03-08 Thread Rob McMillin
Matthew Cline wrote: >First a few rules to match non-spam: > > body SIGNATURE_DELIM/^-- $/ > describe SIGNATURE_DELIMStandard signature delimiter present > >While there would be no effort in faking this, it might take a while for some of the >spammers to catch on. > I hav

Re: [SAtalk] Misc. rule ideas

2002-03-07 Thread Charlie Watts
On Thu, 7 Mar 2002, Matthew Cline wrote: > uri HTTPS_URL /https:\/\// > describe HTTPS_URL Spammers don't often use HTTPS > > Has anyone seen spam that uses an HTTPS URI? Yes, and it's not at all rare. 96 of 3200 messages in my recent-spam box have 'https' in t

[SAtalk] Misc. rule ideas

2002-03-07 Thread Matthew Cline
First a few rules to match non-spam: body SIGNATURE_DELIM/^-- $/ describe SIGNATURE_DELIMStandard signature delimiter present While there would be no effort in faking this, it might take a while for some of the spammers to catch on. uri HTTPS_URL /