> That's ok Loren :). Does anyone else recall which SARE-rule Loren is
> thinking of?
Let's see. One I just got hit:
pts rule name description
---- ---------------------- ------------------------------------------------
--
1.0 NO_REAL_NAME From: does not include a real name
1.1 RATWR12_MESSID Message-ID has ratware pattern (999999.999@)
0.1 TW_SW BODY: Odd Letter Triples with SW
0.1 TW_NF BODY: Odd Letter Triples with NF
1.0 EARN_MONEY BODY: Message talks about earning money
1.7 SARE_FWDLOOK BODY: Forward looking statements about stocks
0.1 TW_YV BODY: Odd Letter Triples with YV
0.7 US_DOLLARS_3 BODY: Mentions millions of $ ($NN,NNN,NNN.NN)
0.8 FB_CASH_CAPS BODY: /CASH/
0.5 FB_MAKE_MONEY BODY: /generate \$/i
4.1 EMAIL_ROT13 BODY: Body contains a ROT13-encoded email
address
0.1 TW_IY BODY: Odd Letter Triples with IY
2.7 NOT_ADVISOR BODY: Not registered investment advisor
0.1 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayesian spam probability is 50 to 56%
[score: 0.5068]
0.5 HTML_FONT_BIG BODY: HTML has a big font
2.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
0.1 HTML_50_60 BODY: Message is 50% to 60% HTML
0.1 HTML_FONTCOLOR_RED BODY: HTML font color is red
4.0 LW_TINY_FONT_1 BODY: Body contains 1pt font
3.0 LW_BIG_AND_RED BIG RED TEXT
1.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format
0.7 PLING_PLING Subject has lots of exclamation marks
0.2 DBL_12_LETTER_FLDR DBL_12_LETTER_FLDR
2.4 FORGED_MUA_OIMO Forged mail pretending to be from MS Outlook IMO
0.8 SARE_MSGID_D10D4 Message-ID has ratware pattern (999999.999@)
It looks like you want some SARE rules, some of Fred's rules (also on the
SARE site in 'other rules we host' or some such), and Tripwire. Which is
also there someplace.
Looks like most of the score comes from Fred's rules.
Loren
