On Mon, 2008-04-21 at 19:35 -0400, Theo Van Dinter wrote:
> I haven't run any real statistics about this, but it's worth realizing
> that unless there's a significant number of spams that have this behavior,
> a rule probably costs more in resource use than it provides in hits.


Yeah. I didn't say anything about this being useful or not. Merely
pointing out issues with the already posted rules.

FWIW, I explicitly mentioned the rule to be untested, because I am not
running it. I can't recall ever having seen something like this in low
scoring spam. I occasionally do see 5 levels in *phishing* mail, which
gets caught without SA even touching 'em.

guenther


> A quick:
>
> pcregrep -ri 'http://(?:[^/.]+\.){7}'
>
> in my corpus shows about 20 spam hits in some 245000 mails. There could be
> reasons this RE wouldn't hit, but in general I wouldn't bother.


--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a \x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}