Hi, >> mimeheader AS_090508_CTYP_PNG Content-Type =~ /image\/png/ >> mimeheader AS_090508_CTYP_JPG Content-Type =~ /image\/jpg/ >> mimeheader AS_090508_CTYP_JPEG Content-Type =~ /image\/jpeg/ > > All scored the same. Can be written as a single rule.
I've spent some time and tried to refine my rules based on your advice, guenther. Can I ask you to check them over again and see if this is any better, or at least more inclusive? mimeheader LOC_CDIS_INLINE Content-Disposition =~ /inline/ score LOC_CDIS_INLINE 0.1 describe LOC_CDIS_INLINE Content-Disposition: inline mimeheader LOC_CTYP_IMG ((Content-Type =~ /image\/png/) || (Content-Type =~ /image\/jpg/) || (Content-Type =~ /image\/jpeg/) || (Content-Type =~ /^application\/octet-stream.\.rtf/)) score LOC_CTYP_IMG 0.1 describe LOC_CTYP_IMG Content-Type: PNG-JPG-JPEG-RTF meta LOC_IMGSPAM ((LOC_CDIS_INLINE && LOC_CTYP_IMG) score LOC_IMGSPAM 0.1 describe LOC_IMGSPAM Probably inline image meta LOC_BOTNET_IMG ((BOTNET && LOC_IMGSPAM) || (BAYES_99 && LOC_IMGSPAM)) score LOC_BOTNET_IMG 1.5 describe LOC_BOTNET_IMG Probably inline image spam > Generally, no. A spam advertising body part enhancers also has > correctly spelled words. Training them doesn't "poison" Bayes either. > And there usually are still useful tokens around. That's great, thanks! Thanks, Alex
