On Tue, 2010-11-16 at 16:02 +0000, Mike Bro wrote:
> Hello,
>
I've seen all but (2) in ham, so be careful with these rules - you
probably want to score them at 0.01 and use them in meta-rules.
> Just wanted to create (or use if they already exist) some rules:
> 1. Email body contains more than 10 newliners without any text between them
>
I get quite a lot of bodies like this - they almost always have a *lot*
of attached photos plus an HTML text body. The multiple spaces are
always in the plaintext body part and seem to correspond to the image
positions in the HTML version - IOW this is something that an M$ mail
reader such as LookOut does when it generates the plaintext version of
the mail.
> 2. Email body contains less than 4 characters
>
I've never seen mail with so short a body - where's the spam payload?
> 3. Email body contains only a line of text and a line with some URL
>
I've seen bodies, both as spam and ham, that only contain a URL and
whitespace on either side. Something like
rawbody BARE_URL /^\s{0,10}(\S{1,80}|http:\S{1,70}\.html)\s{0,10}$/
should catch it, but you'll need variants with the text line before and
after the URL.
Martin
