Kenneth Porter writes: > On Wednesday, September 17, 2008 4:02 PM +0100 Justin Mason <[EMAIL > PROTECTED]> > wrote: > > > This is just in the dev ruleset -- for 3.3.0 -- so you're best off adding > > it manually. right now it's like this: > > > > # thanks to Phil Randal on the users list for this tip > > rawbody __PR_TD_NOWRAP /<td nowrap>/ > > meta PR_TD_NOWRAP_BAT (__THEBAT_MUA && __PR_TD_NOWRAP) > > I just want to report that this has been an incredibly effective rule, with > no false positives. I'm amazed that I'm still catching tons of spam with > it, that the spammers haven't changed their code. (But I've probably jinxed > it by saying so, and it will be replaced tomorrow.)
The botnet spammers don't seem to work like that. One of the more successful rules recently was detailed in a very high-profile research paper over a year ago, yet even now still hits spam: http://ruleqa.spamassassin.org/?q=JM_REACTOR_MAILER --j.
