On Wed, 2008-02-20 at 14:26 +1300, Michael Hutchinson wrote:
> You'll be lucky to catch them on anything other than phrase matching, as
> they're very simple in design, those spam messages. Much like the
> "downlooadable sooftware" one's we used to get. To a program, there's
> not much that looks like Spam about these messages.


This is not true. I posted a meta rule that doesn't even look at the
body earlier.

Also, while URIs arguably could be considered "phrase matching", I
personally don't. Cause I don't even care about the content or
advertising phrases at all, but sniper these annoying, abused domains.

The quite characteristic HTML markup and the fact that this stupid
spammer uses all lower-case, single word subjects exclusively makes them
identifiable without matching on phrases. The almost constant length of
both multipart/related MIME parts and its overall structure of 2 blobs
gives another hint. Score if all are true.

Plus, the various blacklists, identifying the sending machines as
zombies and the MX handing over IP as end-user intended.

guenther


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}