Robert Menschel wrote:
> I tested these two rules:
> rawbody LOCAL_URL_SYNTAX_1
> /www\.[a-z]\.[a-z]\.com\/[a-z0-9]{1,4}\/\?AFF_ID=[a-z0-9]+\&[a-z]+[a-z]+/
> describe LOCAL_URL_SYNTAX_1 Spammer-like URL syntax - TEST RULE 04-02-07
> score LOCAL_URL_SYNTAX_1 1.0
> uri LOCAL_URI_AFFILIATE /aff\w+id=/i
> describe LOCAL_URI_AFFILIATE spam from an affiliate
> score LOCAL_URI_AFFILIATE 1
>
> OVERALL% SPAM% HAM% S/O RANK SCORE NAME
> 91185 73148 18037 0.802 0.00 0.00 (all messages)
> 100.000 80.2193 19.7807 0.802 0.00 0.00 (all messages as %)
> 2.071 2.5811 0.0000 1.000 1.00 1.00 LOCAL_URI_AFFILIATE
> 0.000 0.0000 0.0000 0.500 0.00 1.00 LOCAL_URL_SYNTAX_1
>
> No matches at all for Jens' rule, great results to Jason's.
That's because my rule was buggy. And the one above contains a typing
mistake, I think. :)
This should catch them:
rawbody LOCAL_URL_SYNTAX_1 /(www\.[a-z]\.com=)?[a-z]+\.[a-z]+\.com\/[a-z0-9
{1,4}\/(index\.php)?\?AFF_ID=[a-z0-9]+(\&[a-z0-9]+=[a-z0-9]+)?/
describe LOCAL_URL_SYNTAX_1 Spammer-like URL syntax - TEST RULE 04-02-07
score LOCAL_URL_SYNTAX_1 1.0
or use "uri" instead of "rawbody" (I honestly don't know exactly what "uri"
assumes so I just search the raw message body).
At least my SPAM folder likes them:
(total mails, mails containing AFF_ID, mails containing my rule)
# grep -c "^From " .Mailbox.S{PAM,URESPAM}
.Mailbox.SPAM:3368
.Mailbox.SURESPAM:8014
# grep -c AFF_ID .Mailbox.S{PAM,URESPAM}
.Mailbox.SPAM:1473
.Mailbox.SURESPAM:1058
# egrep -c '(www\.[a-z]\.com=)?[a-z]+\.[a-z]+\.com\/[a-z0-9
{1,2}\/(index\.php)?\?AFF_ID=[a-z0-9]+(\&[a-z0-9]+=[a-z0-9]+)?' .Mailbox
{SPAM,SURESPAM}
.Mailbox.SPAM:1469
.Mailbox.SURESPAM:1027
--
Jens Benecke (jens at spamfreemail.de)
http://www.hitchhikers.de - Europaweite kostenlose Mitfahrzentrale
http://www.spamfreemail.de - 100% saubere Postf�cher - garantiert!
http://www.rb-hosting.de - PHP ab 9? - SSH ab 19? - g�nstiger Traffic
