On Tue, 2011-07-26 at 00:21 -0700, Daniel Lemke wrote: > Hi there, > > A few days ago a mail passed our SpamAssassin and I was a bit surprised when > I looked at the mail content. > It does contain typical spam words like ‘drug’ etc. > Actually, it contains very little that might not appear in an e-mail from your doctor.
> Mail content can be found on pastebin: http://pastebin.com/k8xptZbd > The URL is a redirect via the ff.ly URL shortener, a common form of obfuscation and was correctly spotted by two URIBLs. It redirects to arslania.com (registered in Turkey) which in turn redirects to a Russian pharmacy, which is probably the URL that Spamhaus and Barracuda picked up on. > If blacklist and Bayes score are not included in spam score calculation, > score is even zero. > I get a score of 9.8 after subtracting local rules and that's without Bayes, which didn't fire. > Why are there no regexes triggering this typical spam words? > Try writing one. It would be hard to write a meta rule, let alone a single regex, that won't FP on ham but that will reliably recognise more spam than this one message. What have you got against blacklists anyway? Martin
