Ah, I see now. This can get tricky though -- looking for no visible text at all (just HTML tags) would be easy for spammers to bypass. Checking for the amount of visible text compared to the amount of HTML code seems like a good idea at first, except thanks to Microsoft Word E-mail, that won't work anymore (it has something like 8K of HTML code even for a single sentence).
Well, if you made it more complicated, you would also increase the potential for false positives as you indicated. While this might only be a fad, there's a good deal of it going on right now and the false positives would be nonexistent. It would be nice also to catch the linked image plus a dabble of random text, but that would be a different test IMO.
I'm pretty sure from reading your comments in the archives that you already know how to parse out all the tags for your body filter, and if you exclude spaces and returns as characters, and test to see if there was not an attachment by the way of the link ( <img src="cid:yaddayaddayadda>, in Netscape 7.1 at least) or by MIME multi-part Content-type: [anything but text/HTML], or something else that would indicate an attachment, then you have a match. That attachment thing is to protect against people sending just a document or an image, or having the image embedded, without any accompanying text.
I actually just received another copy of the same message a minute ago, the second one in just a few hours that only scored 1 out of 10 in my filters and that could be stopped with confidence by this test. That's just my own account...If you're not convinced of the current need, just ask around and I'm sure most everyone is seeing the same.
While we're on the topic of attachments and requests, testing for attachments would also be a great way to negative score incoming E-mail, though it might help viruses get through if not scanned for that. I can't think of the last piece of spam that I saw with an attachment, yet some of my false positives would benefit from such a thing. Maybe the logic from the above could be dual purposed???
I'll owe you a lunch if you're ever out my way :)
Thanks,
Matt
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
