I wrote some new habeas rules, which take care of the recents Habeas forgery :
I did something similar, except that instead of redefining the HABEAS_SWE rule, I created an offset, and I focused on the URLs rather than the boundaries.
uri PHARMACOURT_BIZ /\b(?:pharmacourt|pharmawarehouse|valuepointmeds)\.biz\b/i
describe PHARMACOURT_BIZ Includes a link to spammer www.pharmacourt.biz
score PHARMACOURT_BIZ 3
meta HABEAS_VIOLATOR_LOCAL (PHARMACOURT_BIZ && HABEAS_SWE) describe HABEAS_VIOLATOR_LOCAL Spammer known to abuse Habeas mark score HABEAS_VIOLATOR_LOCAL 16
The name has the added advantage that anything looking for HABEAS_VIOLATOR in the list of rules tripped will trigger on this rule as well. (I have MIMEDefang set to allow more leeway for messages that contain the Habeas mark, unless they show up on the violator list, in which case I quarantine them for later reporting.)
I've since noticed that these also trigger the bigevil list, so I'll probably remove the score for PHARMACOURT_BIZ.
Kelson Vibber
SpeedGate Communications <www.speed.net>
------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
