You seem to only be checking To: headers. There is no To: header in that
scrambled message. The thing with the To: is in the body of the spam.
You can try a couple of things to help:
header __HAS_TO To: /./
header __HAS_CC Cc: /./
meta NO_TO (!__HAS_TO && !__HAS_CC)
score NO_TO 1
header STRANGE_UIDL /[\!\"]/
score STRANGE_UIDL 2
body __BODY_HEADER /Message-ID\: .*From: .*To: /
meta HEADER_IN_BODY (NO_TO && __BODY_HEADER)
score HEADER_IN_BODY 5
All of the above is UNTESTED and may contain errors. And the scoring may be
a bit violent. Adjust as needed.
Loren
----- Original Message -----
From: "Damon McMahon" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, March 22, 2004 5:19 PM
Subject: Getting past custom header rule
> Greetings,
>
> Any idea how this one is getting past my rules - note that these rules
have
> been tested and do work [true mailbox name and ISP have been replaced for
> privacy]:
>
> header TWO_TO_MYISP To =~ /([EMAIL PROTECTED]){2}/i
> header THREE_TO_MYISP To =~ /([EMAIL PROTECTED]){3}/i
> header FOUR_TO_MYISP To =~ /([EMAIL PROTECTED]){4}/i
> header FIVE_OR_MORE_TO_MYISP To =~ /([EMAIL PROTECTED]){5,}/i
> header __TO_MYISP_ADDRESS To =~ /[EMAIL PROTECTED]/i
> header __TO_MYMAILBOX_AT_MYISP To =~
> /(mymailbox1|mymailbox2|mymailbox3)[EMAIL PROTECTED]/i
> meta TO_MYISP_NOT_MYMAILBOX __TO_myisp_ADDRESS && !
> (__TO_MYMAILBOX_AT_MYISP)
> score TWO_TO_MYISP 3.0
> score THREE_TO_MYISP 3.5
> score FOUR_TO_MYISP 4.5
> score FIVE_OR_MORE_TO_MYISP 10.0
> score TO_MYISP_NOT_MYMAILBOX 4.5
>
> *** SPAM message begins ***
>
> Return-Path: <[EMAIL PROTECTED]>
> Received: from host-209-214-0-197.fll.bellsouth.net ([209.214.0.197])
> by smta09.mail.ozemail.net with SMTP
> id
>
<[EMAIL PROTECTED]
lsouth.net>;
> Tue, 23 Mar 2004 00:25:53 +0000
> Message-Id:
>
<[EMAIL PROTECTED]
lsouth.net>
> Date: Tue, 23 Mar 2004 00:25:54 +0000
> X-Spam-Checker-Version: SpamAssassin 2.63-agsvsoft_09032004 (2004-01-11)
on
> wensleydale.local
> X-Spam-Status: No, hits=2.4 required=4.6 tests=BIZ_TLD,HTML_20_30,
> HTML_IMAGE_ONLY_08,HTML_MESSAGE,NO_REAL_NAME autolearn=no
> version=2.63-agsvsoft_09032004
> X-Spam-Level: **
> X-UIDL: je)!!gk_!!$jT!!=eA"!
>
> 9
> Received: from 104.105.131.154 by 209.214.0.197; Mon, 22 Mar 2004 01:21:15
> -0700
> Message-ID: <[EMAIL PROTECTED]>
> From: "Leopoldo Stanford" <[EMAIL PROTECTED]>
> Reply-To: "Leopoldo Stanford" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
> 8
> Subject: Fwd: Worldwide Shipping. No Embarrassments.
> [EMAIL PROTECTED]/ana/x.V^1!um.Vcod1n.AEGYJOKW
> Date: Mon, 22 Mar 2004 02:22:15 -0600
> X-Mailer: AOL 5.0 for Windows US sub 118
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="--847714351078737"
> X-Priority: 5
> X-MSMail-Priority: Low
> X-IP:172.82.102.186
> ----847714351078737
> Content-Type: text/html;
> Content-Transfer-Encoding: quoted-printable
>
>
> <!DOCTYPE html public "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www=
> .w3.org/TR/html4/loose.dtd">
>
> ----847714351078737--
>
> *** SPAM message ends ***
>
> _________________________________________________________________
> Get Extra Storage in 10MB, 25MB, 50MB and 100MB options now! Go to
> http://join.msn.com/?pgmarket=en-au&page=hotmail/es2
>
