Hi guys,
I've created a bunch of rules that are intended to detect short body's
meta'd with a missing subject. I thought it was working okay, but I
think I should have an exclusion for messages that contain a
significant attachment. I'd appreciate it if someone could help me
review my rules and show me where they're going wrong. Some of it is
adapted from John's work back in April, I think.
rawbody __RB_LE_200 /^.{2,200}$/s
tflags __RB_LE_200 multiple maxhits=2
body __RB_GT_200 /^.{201}/s
meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200
meta LOC_SHORT (__BODY_LE_200 && __HAS_HTTP_URI && (!(BAYES_00 ||
USER_IN_WHITELIST || KHOP_RCVD_TRUST)))
describe LOC_SHORT Has URI and short body
score LOC_SHORT 1.1
I've created some additional metas using this rule with missing
subject and freemail. I've posted an example here:
http://pastebin.com/v6sTPeZ1
I'm trying to reduce this FP by determining if there is an attachment.
Thanks for any ideas.
Alex
