On Wed, 25 Mar 2009, Arvid Ephraim Picciani wrote:
http://codepad.org/W53onqK9
i gave on this kind of spam. its impossible to train bayes and changing
to fast to make custom rules. matching senders doesnt work either
becouse those are sent using live.com, gmail, sourceforge, etc
It would be somewhat more robust if SA offered multiline rawbody matching,
but try this:
# spaces.live.com URI rule posted to SA list a while ago, good for metas
uri URI_SPACES_LIVE /spaces\.live\.com/
score URI_SPACES_LIVE 0.50
describe URI_SPACES_LIVE contains link to spaces.live.com
rawbody __GRID_OBFU_1 /^\s{0,30}<td bgcolor="\w{1,10}"
valign="top"><br>\s{0,30}$/i
rawbody __GRID_OBFU_2 /^\s{0,30}<td valign="top"><br>\s{0,30}$/i
rawbody __GRID_OBFU_3 /^\s{0,30}<\/td>\s{0,30}$/i
rawbody __GRID_OBFU_4 /^\s{0,30}<tbody>\s{0,30}$/i
meta HTML_GRID_OBFU_LIVE (HTML_MESSAGE && URI_SPACES_LIVE && __GRID_OBFU_1 &&
__GRID_OBFU_2 && __GRID_OBFU_3 && __GRID_OBFU_4)
describe HTML_GRID_OBFU_LIVE Grid-obfuscated text w/ spaces.live.com URI
It's also fairly specific to the HTML in the sample message.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Politicians never accuse you of "greed" for wanting other people's
money, only for wanting to keep your own money. -- Joseph Sobran
-----------------------------------------------------------------------
63 days since Obama's inauguration and still no unicorn!
