I found that certain patterns of jpg and gif files were in a large majority of the spam which made it through my implementation of SA with BigEvil and some of the other custom rules. I started off with a URI rule to try and catch these. This worked in testing but not in actual production. I first thought that might be because SA wasn't processing the rule before pulling the html information out of the emails. I then tried using a rawbody rule to try and catch these emails. Could anyone who has worked with these types of rules offer any suggestions?
Sample rule: rawbody BlackList_IMG /gb\.gif|gbtb\.gif|best-b\.jpg|outw\.gif|01\.jpg|01\.gif/i describe BlackList_IMG Offensive material Spam images. score BlackList_IMG 5.0 OR uri BlackList_IMG /gb\.gif|gbtb\.gif|best-b\.jpg|outw\.gif|01\.jpg|01\.gif/i describe BlackList_IMG Offensive material Spam images. score BlackList_IMG 5.0 -Patrick Clary
