One method would be to write some negative scoring rules based on where the hams come from. They could override the SARE rules.
--Chris >-----Original Message----- >From: Gray, Richard [mailto:[EMAIL PROTECTED] >Sent: Wednesday, April 06, 2005 12:32 PM >To: Jim Maul; SA Users List >Subject: RE: Extra Sare Rules for meds? > > >When I worked on this, I basically took the anti_drug ruleset, >and added >a check to ensure that the rules only fire on obfuscated >versions of the >name. This can be done using negative lookahead in the rule > >Header SAMPLE_RULE Subject =~ /(?!viagra)v[1i][a4]gr[4a]/i > >As an example (and only an example. I wrote it off the top of my head >with no linting/brainwork) > >Again, I'm happy to provide further input if you need it. > >R > >> -----Original Message----- >> From: Jim Maul [mailto:[EMAIL PROTECTED] >> Sent: 06 April 2005 15:39 >> To: SA Users List >> Subject: Extra Sare Rules for meds? >> >> I realize this isnt exactly a SA question but i figured >> theres enough people on this list using sare rules to give >> some feedback. I work in a hospital where we obviously >> receive a lot of legit emails with drug names in them. >> However, we also receive a lot of spam with drug names in >> them as well. I know there are sare rules to catch these >> sort of things but the question i guess is can these rules >> distinguish between the two? The difference it seems is that >> in the legit emails they dont try to hide the drug names and >> in the spam they do. Before i install some of these rules, i >> wanted to hear if anyone has had any experience with this >> type of situation. >> >> Thanks >> Jim >> > > >--------------------------------------------------- >This email from dns has been validated by dnsMSS Managed Email >Security and is free from all known viruses. > >For further information contact [EMAIL PROTECTED] > > > > >
