However the word-breaking is a far greater and more reliable (less FP) spam-sign than any of the fairly generic and contextual words that were used in the body of the spam. This spam hit NO body rules other than the HTML related ones. It didn't hit any bayes score at all even with bayes turned on, something I've noticed happen every now and then.
To match this sort of word break one would have to backreference the prior font and compare faces (if used), size (if used), and color (if used). On Tuesday 10 February 2004 09:51 am, Matt Kettler wrote: > At 11:36 AM 2/10/2004, Brian Godette wrote: > >Got a new spam-sign today that I don't know how to make a rule match on. > > This is just another token/word breaking method, however it uses valid > > html, in this case it's using the same font over and over again. > > I know it's always good to try to have rules for every word-break tactic, > however, let's face it, this particular obfuscation tactic shouldn't be > effective against spamassassin in the first place. > > Remember, SA strips out HTML tags before it runs rules. > > Rules like this: > body LOCAL_MEDS /\bmeds\b/i > score LOCAL_MEDS 0.1 > > Should hit on that mail just fine, despite the gapping stuck in between the > letters. > > Really it strikes me as more of a lacking in your bayes training, and a > lacking in the default ruleset.
