Michael Hutchinson wrote:
> There's been a rise in Canadian Pharmaceutical Spam lately. This spam i=

> quite basic, generally only including some text and a link. The link is
> always changing so we can't score against that.
> About the only other thing it scores on is the FORGED_HOTMAIL_RCVD rule=

> which doesn't have a big enough score to push the Spam over the 5.0
> points threshold.
> Does anyone have some effective rules / rulesets / update channels that
> would help to eliminate this stuff? I've been writing rules against it
> for the past few months. We've just employed our 61st rule against this
> type of Spam. Admittedly a lot of those are just basic phrase matching,
> and aren't complicated rules - but then the Spam changes enough each
> cycle, that it avoids complicated rules that I might write.

I find that a meta rule where the body contains "http://" and has no
paragraphs above 100 to 140 characters=B9 will give a few false positives=
so you can't score it too highly, but it catches a *lot* of spam.

The ham that matches this rule tends to be surprisingly rare, doesn't
score highly on anything else, and is from regular correspondents (so
the AWL helps).

If any of the SA developers are reading, I'd love to see how rules like
this play in the sandbox...


=B9 I'd like to do it on body length, but I can't find a suitable way of
doing this. body /.{100}/ will match on any e-mail which *has* got a
paragraph of > 99 characters...

E-mail: james@ | The opinions expressed herein are not necessarily th=
aprilcottage.co.uk | of my employer, are not necessarily mine, and in fac=
t are
| probably not necessary at all...