http://bugzilla.spamassassin.org/show_bug.cgi?id=1375
------- Additional Comments From [EMAIL PROTECTED] 2004-03-02 17:51 ------- > Legitimate mailers use ImageReady to split their images up > in itty bits (lord knows why), yes, but they'll all point to > the same place. Only a spammer uses dozens of different > host names. I think you are going to hit ham on this test no matter how you word it. Innocent mail like "hi Fred, here are the 12 best sites I've found to get plane reservations!" Followed of course by about 14 urls to different orbitz-type sites. Which isn't to say that it is necessarily a bad test. I just suspect that the thing will hit far more ham than really desired, no matter how it is set up. Might be good as part of a meta though. I think there are at least two cases that can be tested for here. One is a whole bunch of urls to basically the same host (last node or two before .com is common), all pointing to the spam site. The other is a form of poisioning by using lots of random urls, many of which might not even be real. Most of those would likely show up as invisible links though, since if the sucker clicks one it won't take him to the spammer's site. It would probably be good to have the ability to count both types separately and make decisions based on the count, to make it easy to adjust for future spammer preferences. For instance, I'm getting a whole lot of stuff today from a new spammer that is sending this sort of stuff: "http://manley.chattel.gluttonearth.com/gld/gld.php"; "http://trinitarian.device.gluttonearth.com/gld/gld.jpg"; "http://rip.burundi.gluttonearth.com/gld/lucky.php"; "http://improvident.centerline.gluttonearth.com/id/cease.html"; "http://denver.troika.gluttonearth.com/gld/morning.jpg"; He seems to have a couple main domains with 2-3 random words in front of the main domain name. Loren ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
![http://trinitarian.device.gluttonearth.com/gld/gld.jpg"](http://trinitarian.device.gluttonearth.com/gld/gld.jpg"){kind=link}
![http://denver.troika.gluttonearth.com/gld/morning.jpg"](http://denver.troika.gluttonearth.com/gld/morning.jpg"){kind=link}