On 2025-06-27 at 15:39:50 UTC-0400 (Fri, 27 Jun 2025 15:39:50 -0400)
Mark London <m...@psfc.mit.edu>
is rumored to have said:
I notice a new rule _SCC_HTML_ODDDIV8 that is hitting a lot of real
email.
Discussed here earlier this week. Fixed in r1926179.
See https://lists.apache.org/thread/yoy3n75p9jg9zmj54sz8plz3zkzwy7zv for
that earlier discussion
It's also strange that it starts with a _
Yes, it was supposed to start with __. It does in the pending update
currently working its way through Rule QA.
It's even more strange, that it can aappear multiple times, for a
given email. Maybe because of the _?
No, because it has a "tflags multiple" line. The output of `perldoc
Mail::SpamAssassin::Conf` is full of such useful details.
The proper rules in the fixed version are:
describe __SCC_HTML_ODDDIV8 Idiosyncratic HTML structure
used by spammers
rawbody __SCC_HTML_ODDDIV8 /<DIV>\ <\/DIV>/i
tflags __SCC_HTML_ODDDIV8 multiple publish
describe SCC_META_ODDDIV8 ODDDIV8 is most odd many times.
meta SCC_META_ODDDIV8 __SCC_HTML_ODDDIV8 > 10
score SCC_META_ODDDIV8 2 #limit
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
