> -----Original Message-----
> From: Karsten Br=E4ckelmann [mailto:guenther@rudersport.de]
> Sent: Wednesday, 20 February 2008 3:33 p.m.
> To: users@spamassassin.apache.org
> Subject: RE: Suggestions to block this spam
>=20
> On Wed, 2008-02-20 at 14:26 +1300, Michael Hutchinson wrote:
> > You'll be lucky to catch them on anything other than phrase =

matching, as
> > they're very simple in design, those spam messages. Much like the
> > "downlooadable sooftware" one's we used to get. To a program, =

there's
> > not much that looks like Spam about these messages.

>=20
> This is not true. I posted a meta rule that doesn't even look at =

the
> body earlier.
>=20
> Also, while URIs arguably could be considered "phrase matching", I
> personally don't. Cause I don't even care about the content or
> advertising phrases at all, but sniper these annoying, abused domains.
>=20
> The quite characteristic HTML markup and the fact that this stupid
> spammer uses all lower-case, single word subjects exclusively makes =

them
> identifiable without matching on phrases. The almost constant length =

of
> both multipart/related MIME parts and its overall structure of 2 blobs
> gives another hint. Score if all are true.
>=20
> Plus, the various blacklists, identifying the sending machines as
> zombies and the MX handing over IP as end-user intended.


Ah yes, I saw that one earlier on. I hadn't employed it as my phrases =
are working well, but I do intend to tweak a meta based on the one you =
posted, once I've had time to fully test the CLIENT_TO_MX part

Cheers,
Michael Hutchinson