On Wed, 2008-02-20 at 09:13 +1300, Kathryn Allan wrote: > Getting tones of this sort of email through have been learning it as > spam for the last few days but so far not much luck.
Now that we've settled on the technical difficulties of pastebins, and since we've all seen that one before anyway... ;) The scores on my side for that particular spam vary greatly, with a couple blacklists hitting occasionally. They do tend to be rather sneaky for a default SA install. However, there are a bunch of characteristics to match on. Just checked again on a few of them, otherwise going from memory here. They all got a blogspot URI, claim to be sent by the Bat, and yet are direct MUA to MX delivered. uri KB_URI_BLOGSPOT m,http://\w+\.blogspot\.com\b, describe KB_URI_BLOGSPOT blogspot.com throwaway URI score KB_URI_BLOGSPOT 1.0 header __X_MAILER_THE_BAT X-Mailer =~ /^The Bat! / header __CLIENT_TO_MX X-Spam-Relays-Untrusted =~ /^\[ [^\[]+$/ meta THEBAT_MUA_TO_MX __X_MAILER_THE_BAT && __CLIENT_TO_MX describe THEBAT_MUA_TO_MX The Bat! does not do direct MX connections score THEBAT_MUA_TO_MX 1.5 Note that I did *not* test the __CLIENT_TO_MX and meta rule. The other ones pretty much are copied from some general local rules. Also, it probably should be rather easy to match on the empty anchor tags with 4 chars relative names in these spams, but I would have to mass-check that first. <a name=3D"#tppt"></a> And of course you should keep training your Bayes on these. HTH guenther -- char *t="[EMAIL PROTECTED]"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1: (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
