>> >> Hello list, >> >> For your consideration: >> >> header __MULTIPART_RELATED Content-Type =~ /multipart\/related/ >> >> meta OE_MULTIPART_RELATED (__OE_MUA && __MULTIPART_RELATED) >> describe OE_MULTIPART_RELATED Possible image spam forged as from MS Outlook >> >> The false Positive rate on my corpus is 0.1%. I can't tell you about the >> false >> negative rate since I don't keep my spam (only my ham). >> >> This rule works very well on the pump-and-dump image spam that has been >> escaping my spamassassin installation for the last few months. Although >> Outlook Express is capable of generating messages with multipart/related >> MIME >> type, it only does that if the user creates an HTML message with inline >> images. This happens occasionally but rarely (hence the 0.1%). I expect the >> perceptron might give this rule a score of perhaps +0.5, which is not enough >> to catch the pump-and-dump image spam by itself, but works well in >> conjunction with Mail::SpamAssassin::Plugin::ImageInfo. >> >> Thoughts on this rule? >> >> --Ian Turner >>
Hi Ian, this would trap mail using outlook "stationery". I dont really like it, but I get it in wanted mail. Generally I believe that rules scoring valid use of mail (cid addressing, mime types) should be avoided - unless you want to block, e.g., mails with images or mails sent from outlook generally Rather try to find a subtle difference in the way real outlook builds the message and the spammers do it, that would really reveal it is not from outlook Wolfgang Hamann
