David du SERRE-TELMON wrote on Mon, 9 Jun 2003 12:04:25 +0200:

> All spam I received which isn't detected by spam assassin contain only an
> URL in the body.
>

Your example is quite long ;-) The cryingrussians stuff has even less 
content since it's not in HTML and doesn't use the random strings. I fed 
them to Bayes and hope that it detects sooner or later.

> http://pgodir.com/p.pl?j=1367TnRJlBDA549097022HBsyecjr1490.html";
>

I haven't seen any of those except for this one, but you could try to 
detect this "/p.pl?" I think?

What I usually do if I see spam which is almost non-detectable from content 
is look in the headers if there's anything typical about them. F.i. many 
spams which slipped thru until recently (because they are blocked now) 
tried to pretend that they come from the server itself by using a forged 
Received line which has the IP address of the server as the server host 
name. These can easily be detected but you can't add a rule for this to the 
SA distribution because you have to use your local IP there.

Kai

-- 

Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org





-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to