Hi all,
A number of my users have been receiving spam formatted in a
very specific way which seems to very often miss Bayes... I don't
know why, whether it's because of the HTML gibberish flooding Bayes
with useless tokens (to reduce the relative strength of the spammy
tokens), or if it's just the specific content isn't sufficiently
spammy (or has sufficient ham to balance) to pop.
Either way, this spam appears to be generated from a specific
template, and I've created a rule to hit that template. Within the
last couple of weeks, I've had only true positives and negatives...
no FPs, no FNs.
For your perusal, here is the rule:
# Spammy URI pattern
uri __OUTL_URI /\/outl\b/
uri __OUTI_URI /\/outi\b/
meta OUTL_OUTI_IS_SPAMMY (__OUTL_URI && __OUTI_URI)
describe OUTL_OUTI_IS_SPAMMY /outl + /outi link combo is highly spammy
score OUTL_OUTI_IS_SPAMMY 3
If you don't specifically trust URI rules to not have FPs, I have a
rawbody version of this which works identically... in all cases, both
rules pop together, so I think there's no specific need to use the
rawbody version, but I can provide it if needed.
I recommend this rule be added to the general distribution.
(Like many other users here, I've also increased the Bayes scores for
Bayes99, and created a Bayes999 with even higher scoring... it might
be time to add that to the general distribution, too.)
Hope this helps...
--- Amir
