On Mon, 2012-02-06 at 09:57 -0800, Mynabbler wrote:
> As I said, sure they are in RBL now. They were not when this message was
> delivered. That's the whole point of coming up with a diffent approach here,
> the amount of comment in the message.
>
Something like this might work:
body __SR1 /<html>\s{0,2}<!--/
body __SR2 /-->\s{0,2}<body>/
meta RULE (__SR1 && __SR2)
score RULE 3.5
on the grounds that I've never seen a comment in valid HTML that
immediately follows an <html> tag or immediately precedes a <body> tag.
CAUTION: this has neither been syntax checked or tested.
It would also be quite reasonable to point a rule at the in-body URL, on
which somebody has gone to the trouble of setting up MX records for the
domain, and so may feature in more spam in the future. The URL
references a single, zero length main page called index.html - not a
normal feature of a legitimate site. If many of the spams have this URL
in common, it is definitely worth a few points.
Martin
