On 2010-11-16 23:52, Martin Gregorie wrote:
> On Tue, 2010-11-16 at 14:20 -0800, John Hardin wrote:
>> On Tue, 16 Nov 2010, Martin Gregorie wrote:
>>
>>> On Tue, 2010-11-16 at 16:02 +0000, Mike Bro wrote:
>>>
>>>> 2. Email body contains less than 4 characters
>>>
>>> I've never seen mail with so short a body - where's the spam payload?
>>
>> Likely the Subject line.
>>
> Agreed: there or maybe as the sender's personal name. I was hoping this
> might prompt the OP into providing a bit more information since, as I
> said, I've never seen a mere 4 characters for an entire body, pure
> plain-text or MIME (which would be impossible).
Lucky you - I frequently get spam with no payload at all, not even in
the subject line, and the body typically consists of just 3 chars. I'd
really like to know what motivation drives somebody to send these.
Anyway, they are pretty annoying.
I tried to catch them with the following rule:
rawbody L_VERY_SHORT /^.{0,5}$/s
Unfortunately this rule occasionally matched messages that were much
longer than 5 chars (It seemed that this happens particularly with MIME
messages). I have no idea how this is possible - if somebody has an
explanation, please let me know ...
To avoid these false positives, I now use:
rawbody __MORE_THAN_FIVE_CHARS /.{6}/s
meta L_VERY_SHORT !__MORE_THAN_FIVE_CHARS
I can't guarantee that there are no cases where this also will
mysteriously match without any apparent reason, but so this seems to
work ...
Regards,
Peter
