Karsten Bräckelmann wrote:
> > This is a plain RE rule I once wrote, to limit some rule to really short
> > messages only.
> >
> > rawbody __KB_RAWBODY_200 /^.{0,200}$/s
Warren Togami mused:
> I suspect meta limiting Adam's IXHASH rules with a minimum size subrule
> would eliminate many of the IXHASH false positives. I was using his
> IXHASH plugin for a while, but stopped because I noticed too many FP's
> on short e-mails. I wonder if his IXHASH plugin is suitable to put into
> the sandbox for actual statistical testing.
Quick note - iXhash isn't mine. The project is the brainchild of Dirk
Bonengel, http://dbonengel.users.sourceforge.net/#, who was inspired by
NiX Spam (by Bert Ungerer). The credits at http://ixhash.sf.net/ don't
actually mention Dirk (Dirk -- take credit!).
I merely wrote that meta rule to link the three of them together rather
than the more common approach of assigning points to each of them.
Combining that with Karsten's rawbody check (though I'm not sure what char
length threshold would be a good one), we'd get (please unwrap meta line):
meta IXHASH_CHECK __KB_RAWBODY_200 && (GENERIC_IXHASH ||
NIXSPAM_IXHASH || CTYME_IXHASH || HOSTEUROPE_IXHASH)
describe IXHASH_CHECK BODY: MD5 checksum matches known spam
score IXHASH_CHECK 0 2 0 2
--
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-Spam
