On Tue, 12 Feb 2019 09:44:02 +0000 MAYER Hans wrote:
> “full” statement should be: full __HAS_URI /(http|https):\/\// This is still a poor rule, "full" is actually the worst type to use. Both full and rawbody can find a lot more links than are relevant. It's already been mentioned that in multipart/alternative emails, links are double-counted. If the HTML also uses buttons or displays the link as text, clickable links are then triple-counted. There can also be other irrelevant links to images, fonts, etc, and it's common for HTML to have informational links about tools and standards. "full" is worse than "rawbody" because it will fail completely if the spammer switches to base64, and it will count additional spurious links in headers. Personally I get a lot of legitimate emails with many clickable links, so this sounds like a bad idea. If you really want to do this you should use a "body" rule for counting. You may also want to have a different threshold if Content-Type contains 'multipart/alternative'.
