That PGP sig buried in HTML sticks out like a sore thumb.
Even better, if you check my post from 6/14, most of these have a PGP signature block, but are without a "begin pgp signed message" block..
Try this meta rule pair for a starter. I can't guarantee that it doesn't have FP cases, but it seems to do the trick for many of these spams.
------------------------
body __LOCAL_PGP_SIGNED_MESSAGE /-----BEGIN PGP SIGNED MESSAGE-----/
meta LOCAL_PGP_SIGNATURE_ABUSED PGP_SIGNATURE && !__LOCAL_PGP_SIGNED_MESSAGE
score LOCAL_PGP_SIGNATURE_ABUSED 4.6
Note: i used 4.6 as a score for this, to effectively flip the -2.3 of the PGP_SIGNATURE rule into a +2.3. It's still not enough to tag the message, but it's a start.
------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
