Hello Justin,
Saturday, February 7, 2004, 2:14:44 PM, you responded to Jens:
>>Could anybody please run this rule against his SPAM/HAM corpus?
>>rawbody LOCAL_URL_SYNTAX_1 /www\.[a-z]\.[a-z]\.com\/[a-z0-9
>> {1,4}\/\?AFF_ID=[a-z0-9]+\&[a-z]+[a-z]+/
>>describe LOCAL_URL_SYNTAX_1 Spammer-like URL syntax - TEST RULE 04-02-07
>>score LOCAL_URL_SYNTAX_1 1.0
>>to catch all those mails that contain URLs like
>><A
>>HREF="http://www.xbaq.whatuthinkwillhappen.com/c/?AFF_ID=c1224&qgdwcmaewo=uwdi";>Clwck
JM> Actually -- has anyone got *any* legit mail containing "aff_id",
JM> "AFF_ID", "affiliateid", "aff_sub_id" etc.? I would bet not.
JM> This may make a good rule:
JM> uri LOCAL_URI_AFFILIATE /aff\w+id=/i
I tested these two rules:
rawbody LOCAL_URL_SYNTAX_1
/www\.[a-z]\.[a-z]\.com\/[a-z0-9]{1,4}\/\?AFF_ID=[a-z0-9]+\&[a-z]+[a-z]+/
describe LOCAL_URL_SYNTAX_1 Spammer-like URL syntax - TEST RULE 04-02-07
score LOCAL_URL_SYNTAX_1 1.0
uri LOCAL_URI_AFFILIATE /aff\w+id=/i
describe LOCAL_URI_AFFILIATE spam from an affiliate
score LOCAL_URI_AFFILIATE 1
OVERALL% SPAM% HAM% S/O RANK SCORE NAME
91185 73148 18037 0.802 0.00 0.00 (all messages)
100.000 80.2193 19.7807 0.802 0.00 0.00 (all messages as %)
2.071 2.5811 0.0000 1.000 1.00 1.00 LOCAL_URI_AFFILIATE
0.000 0.0000 0.0000 0.500 0.00 1.00 LOCAL_URL_SYNTAX_1
No matches at all for Jens' rule, great results to Jason's.
Bob Menschel
