A couple days ago, I wrote:
>       Some archive searching has revealed that multi-line matching isn't
> available yet. Is there another way to rework this rule that I'm
> missing, using meta rules perhaps? It would single-handedly get a lot of
> spam that I get, which is consistantly of the form of three "ambiguous
> product pitch:\nurl\n\n"s. My email address appears in the third URL,
> and the first two are mostly numeric. 
        What ultimately worked was to make several low-scoring (ie, .01)
rules to catch specific characteristics of the email (which each have
occasional false positives), especially the included URLs, and then one
heavyweight meta rule if 5 or more of those rules matched. This would
probably be effective for most spam types that use a specific subset of
common ham words, such as testing for several matches out of "browser",
"cache", 'significant other' terms, website(s) visit(ed), hard drive,
history, watched/tracked, and so on to catch history/cache deleting
sofware spam.

Hope this is helpful.
sckot Vokes
"I wish I had a 2 liter of Pepsi in my box of replacement
 staples, so if they needed to quench their thirst, then
 they could ride the snake." -Kefka P

The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
Spamassassin-talk mailing list

Reply via email to