First, five headers I've found found only in spam. There's not many instances of them, but it should help:
# X-MailingID and X-ServerHost seem to only be used by a single # spamming software, and are found together in the same message header X_MAIL_ID_PRESENT X-MailingID =~ /./ describe X_MAIL_ID_PRESENT Found an X-MailingID header header X_SERV_HOST_PRESENT X-ServerHost =~ /./ describe X_SERV_HOST_PRESENT Found an X-ServerHost header header X_X_PRESENT X-x =~ /./ describe X_X_PRESENT Found an X-x header header X_ENC_PRESENT X-Encoding =~ /./ describe X_ENC_PRESENT Found an X-Encoding header # X-Fix example: NTMail fixed non RFC822 compliant EMail message header X_FIX_PRESENT X-Fix =~ /./ describe X_FIX_PRESENT Found an X-Fix header =-=-= I've seen a few spams that have javascript in an URI, so: uri JAVASCRIPT_URI /^javascript:/i describe JAVASCRIPT_URI Javascript in an URI =-=-= Finally, I've seen a few spams that simply have a "#", and nothing else, as an URI, which is only really useful when using JavaScript tricks; this doesn't appear in any of my non spam. uri URI_IS_POUND /^\#$/ describe URI_IS_POUND URI is just a pound; probably a JS trick -- Visit http://dmoz.org, the world's | Give a man a match, and he'll be warm largest human edited web directory. | for a minute, but set him on fire, and | he'll be warm for the rest of his life. [EMAIL PROTECTED] ICQ: 132152059 | _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
