Regis, I had several false positives today based on the BAD_X_HEADERS rule. I'm using the rules from Chris' site (Nov02). The legitimate emails had an "X-URL" header. All of the FPs where from a single mailing list. For what ever reason, they are providing a valid link to some content within this header.
Anyway, after all of your hard work (that pays huge dividends for me), I thought I would pass this along. -- Scott -----Original Message----- From: Regis Wilson [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 22, 2003 1:14 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [SAtalk] [RD] simple rule for consumption >Nope these are bogus. I have seperate rules for them in the last Rule >Emporeum update. I used seperate, as they often are seen in pairs. Although >I didn't tag X-Email, because I'm not sure about that one. > X-Email: is pretty spammy for me, so it is in there. I grepped my corpus for X-headers and significantly increased the rule. Please let me know if I've choses some false positives for others. This rule is along the lines of "create more rules that catch existing spam so that if other rules fail in the future, this one can catch it as backup". At the very least, the spammers will see that these are dead giveaways and STOP USING THEM. Not that that's good for us... Writing rules is fun! header BAD_X_HEADERS ALL =~ /X-(?:[Cc][Ii][Dd]|Camp...|ClientHost|cross|E|E[Mm]ail|Encoding-Version|ENVI D|Find|[Ii][Dd]?|Indiv|INFO_.Z|JLH|L-C|Mailid|MailingID|Misc_ID|mailer|mlcip her|mlmsgid|mpm|ms|ntc|PMG-.+|RMD-Text|Rec|SP-Track-ID|srk|TID|Trans|URL|Vig |WCMailID|yd):/ describe BAD_X_HEADERS Message uses spammy X- header score BAD_X_HEADERS 3.0 ------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk ------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
