David du SERRE-TELMON wrote on Mon, 9 Jun 2003 12:04:25 +0200: > All spam I received which isn't detected by spam assassin contain only an > URL in the body. >
Your example is quite long ;-) The cryingrussians stuff has even less content since it's not in HTML and doesn't use the random strings. I fed them to Bayes and hope that it detects sooner or later. > http://pgodir.com/p.pl?j=1367TnRJlBDA549097022HBsyecjr1490.html" > I haven't seen any of those except for this one, but you could try to detect this "/p.pl?" I think? What I usually do if I see spam which is almost non-detectable from content is look in the headers if there's anything typical about them. F.i. many spams which slipped thru until recently (because they are blocked now) tried to pretend that they come from the server itself by using a forged Received line which has the IP address of the server as the server host name. These can easily be detected but you can't add a rule for this to the SA distribution because you have to use your local IP there. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com IE-Center: http://ie5.de & http://msie.winware.org ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk