Found a spam today which passed didn't reach required hits. I fixed that with a couple of specific rules, and also found what may be a decent generic rule, a rule that wasn't kicked off in 2.55 (my apologies if this rule exists in 2.60).
The pattern is that a Received header points to an IP address, rather than a domain name. This isn't a sure sign of spam, since my own emails sometimes happen to have this characteristic -- apparently generated by my mail client, my ISP, or maybe my DSL router because I'm behind that DSL router with NAT protection. Because of this, it can't get a high score, but a low positive score indicative of possible spam may be appropriate. When run against my corpus, it matched 60 spam and 3 ham (two of which were from me to another email address I participate in). My proposed rule: header L_hr_HeloIP Received =~ /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i describe L_hr_HeloIP Received has helo=IP - may be spam, or may be DSL router w/nat score L_hr_HeloIP 0.5 Bob Menschel ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here: http://www.vmware.com/wl/offer/345/0 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk