-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jens Benecke writes:
>Hi,
>
>Could anybody please run this rule against his SPAM/HAM corpus?
>
>I just whipped up this
>
>rawbody LOCAL_URL_SYNTAX_1 /www\.[a-z]\.[a-z]\.com\/[a-z0-9
>{1,4}\/\?AFF_ID=[a-z0-9]+\&[a-z]+[a-z]+/
>describe LOCAL_URL_SYNTAX_1 Spammer-like URL syntax - TEST RULE 04-02-07
>score LOCAL_URL_SYNTAX_1 1.0
>
>
>
>to catch all those mails that contain URLs like
>
><A
>HREF="http://www.xbaq.whatuthinkwillhappen.com/c/?AFF_ID=c1224&qgdwcmaewo=uwdi";>Clwck
Actually -- has anyone got *any* legit mail containing "aff_id",
"AFF_ID", "affiliateid", "aff_sub_id" etc.? I would bet not.
This may make a good rule:
uri LOCAL_URI_AFFILIATE /aff\w+id=/i
0 FPs on my corpus, plenty of spam hits.
- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFAJWNUQTcbUG5Y7woRAoITAKDP4Ot57SPD65RwWCqcRJMfQJpCTgCdGzcZ
q7+1MHM5Nd0LbWgy8FuuMk0=
=SNqQ
-----END PGP SIGNATURE-----
