How about:

body CORRECT_FOR_EXCHANGE       /This message is in MIME format/
score CORRECT_FOR_EXCHANGE      -2.6
describe CORRECT_FOR_EXCHANGE   Correct for MIME 'null block'

C

On Sun, 2002-02-03 at 19:59, Jason Haar wrote:
    Email from our Exchange server is tallying up the score points in SA faster
    than it should.
    
    All the MIME messages contain the phrase:
    
    -------
    <headers>
    MIME-Version: 1.0
    
    This message is in MIME format. Since your mail reader does not understand
    this format, some or all of this message may not be legible.
    
    ------_=_NextPart_000_01C1AD26.0305AA70
    -------
    
    That's causing a score like:
    
    X-Spam-Report:   6.35 hits, 5 required;
      *  1.0 -- From: contains numbers mixed in with letters
      *  2.8 -- Message text disguised using base-64 encoding
      *  1.6 -- Contains phrases frequently found in spam
                [score:  21, hits: this message, your]
            [mail]
      *  1.0 -- spam-phrase score is over 20
    
    
    Could SA recognise that those phrases are occurring in the MIME "null block"
    before the message actually begins? In fact, anything could be valid in
    there as MIME MUA users never see that area these days...
    
    [hmm, great way of sneaking stuff out... ;-)]
    
    -- 
    Cheers
    
    Jason Haar
    
    Information Security Manager
    Trimble Navigation Ltd.
    Phone: +64 3 9635 377 Fax: +64 3 9635 417
    
    _______________________________________________
    Spamassassin-talk mailing list
    [EMAIL PROTECTED]
    https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
    
    
    
    

_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to