2010/5/6 Karsten Bräckelmann <guent...@rudersport.de>: > On Wed, 2010-05-05 at 15:39 -0700, Kelson Vibber wrote: >> We're seeing FPs Twitter's "So-and-so is now following you on Twitter" >> notices, pushed over by JM_SOUGHT_3's 4 points. It appears to be >> matching on __SEEK_O1OO80, which contains a large chunk of Twitter's >> email footer. >> >> If I were to guess, it's probably due to the phishing campaign that's >> been targeting Twitter users over the last few weeks, faking a message >> from Twitter support. I've seen several of those phish land in our own >> spamtraps and abuse mailbox. >> >> I can send a ham sample if that would help. > > It does indeed. The sought rule-set's seek sub-rules are cross checked > against a ham corpus. No twitter ham in the corpus results in forged > twitter messages to be picked up in a seek, if the volume in the traps > is high enough. > > Please send us a ham sample. Obfuscating identifying data is ok, but > please keep it to a minimum needed, and make it obvious. Raw message > attached preferred. Feel free to send it directly to me and/or Justin, > rather than the list. Thanks!
+1. I've added a quick fix (a copy of that rule's text) but some real ham text would be better. --j.
