Fuzzy Fox wrote: > There is very little for any of SA's rules to trigger on, very little > for any Bayes tokenization to use. The message is short, and I'd > consider it basically an "image-only" type of spam, which SA is not > likely to ever detect as spam, unless there is some corroborating evidence > in the headers.
Actually, some of these spams should trigger the NORMAL_HTTP_TO_IP test, and if you add tests for the any of the URIs (which repeat far more often than the From: or To: addresses), those should match as well- on at least one of full, rawbody, or body. But because SA doesn't decode all of the nested MIME, the pieces containing the URIs themselves are effectively discarded. One thing I did notice is that the MIME boundaries are fairly consistent and can be used in rules: rawbody NESTED_MIME_SPAM /0012_01C27DD2.75377C90/ I've also added some body/subject rules for some of the subject lines seen in customer-submitted copies of these spams, as well as a few rules for some of the Received: headers seen. I suspect a few would probably trigger one or more of the RBL checks; at the moment I don't have any of the "non-free" RBL tests active. :/ -kgd -- <erno> hm. I've lost a machine.. literally _lost_. it responds to ping, it works completely, I just can't figure out where in my apartment it is. ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
