On Mon, 11 Mar 2002, Matthew Cline wrote: > On Monday 11 March 2002 08:24 pm, Michael Moncur wrote: > > > I think that would be a great addition to SA, although I see more virus > > emails formatted like that than actual spam. I'm trying the following in my > > custom rules file: > > > > rawbody HTML_FRAMES /<i?frame /i > > describe HTML_FRAMES HTML with an embedded frame > > score HTML_FRAMES 4.0 > > Already there: > > # many spammers seem to do this nowadays (and probably track > # their customers with it). (contrib: WW) > rawbody RELAYING_FRAME /<frame\b[^>]+\bsrc=[3D=\s"']*http:\/\//is > describe RELAYING_FRAME Frame wanted to load outside URL > > Though it doesn't detect iframes yet...
RELAYING_FRAME doesn't catch the case where the content was sent along with the message; only http. Not sure that matters ... This is possibly showing the continual corpus nerd-mail problem, but /<i?frame /i doesn't match -anything- in my non-spam boxes. It only matches a -small- number of things in the spambox, too. At the very least, changing RELAYING_FRAME TO: rawbody RELAYING_FRAME /<i?frame\b[^>]+\bsrc=[3D=\s"']*https?:\/\//is would be worthwile; That matches several that the existing rule doesn't. Then again, those that it matches ... are already in the spam corpus. Did I see mention of: uri HTTP_CTRL_CHARS_HOST /^https\:\/\/[^\/]*[\x00-\x08\x0b\x0c\x0e-\x1f]/ the other day? That should probably be: uri HTTP_CTRL_CHARS_HOST /^https?\:\/\/[^\/]*[\x00-\x08\x0b\x0c\x0e-\x1f]/ -- Charlie Watts [EMAIL PROTECTED] Frontier Internet, Inc. http://www.frontier.net/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
