James Wilkinson writes:
> Michael Hutchinson wrote:
> > There's been a rise in Canadian Pharmaceutical Spam lately. This spam is
> > quite basic, generally only including some text and a link. The link is
> > always changing so we can't score against that.
> >
> > About the only other thing it scores on is the FORGED_HOTMAIL_RCVD rule,
> > which doesn't have a big enough score to push the Spam over the 5.0
> > points threshold.
> >
> > Does anyone have some effective rules / rulesets / update channels that
> > would help to eliminate this stuff? I've been writing rules against it
> > for the past few months. We've just employed our 61st rule against this
> > type of Spam. Admittedly a lot of those are just basic phrase matching,
> > and aren't complicated rules - but then the Spam changes enough each
> > cycle, that it avoids complicated rules that I might write.

>
> I find that a meta rule where the body contains "http://" and has no
> paragraphs above 100 to 140 characters╣ will give a few false positives,
> so you can't score it too highly, but it catches a *lot* of spam.
>
> The ham that matches this rule tends to be surprisingly rare, doesn't
> score highly on anything else, and is from regular correspondents (so
> the AWL helps).
>
> If any of the SA developers are reading, I'd love to see how rules like
> this play in the sandbox...
>
> James.
>
> ╣ I'd like to do it on body length, but I can't find a suitable way of
> doing this. body /.{100}/ will match on any e-mail which *has* got a
> paragraph of > 99 characters...


Provide a plugin that does it efficiently, and I'll try it out

--j.