| 0.05 | FORGED_RCVD_HELO | Received: contains a forged HELO |
| 0.07 | HTML_FONT_INVISIBLE | HTML font color is same as background |
| 0.00 | HTML_MESSAGE | HTML included in message |
| 0.60 | J_CHICKENPOX_12 | 1alpha-pock-2alpha |
| 0.60 | J_CHICKENPOX_15 | 1alpha-pock-5alpha |
| 0.14 | RCVD_IN_SORBS_DUL | SORBS: sent directly from dynamic IP address |
| 0.16 | SARE_HTML_FONT_INVIS2 | contains HTML color which is likely spamsign |
| 0.12 | SARE_HTML_URI_2SLASH | URI has additional double slash within it |
| 1.46 | SARE_HTML_USL_OBFU | Message body has very strange HTML sequence |
| 2.67 | SARE_OBFU_PRICE1 | |
| 2.22 | SARE_OBFU_VISIT1 | |
| -0.00 | SPF_HELO_PASS | SPF: HELO matches SPF record |
On 5/5/05, Robert Menschel <[EMAIL PROTECTED]> wrote:
Hello Devon,
Thursday, May 5, 2005, 6:02:58 PM, you wrote:
DH> Anyone?
DH> On 4/30/05, Devon Harding <[EMAIL PROTECTED]> wrote:
DH> There's got to be a way to stop this. I'm getting over 100 of these a day.
Making progress...
#counts SARE_OBFU_DRUGDOL1_SPC 2496s/0h of 284851 corpus (112429s/172422h RM) 05/04/05
#counts SARE_OBFU_GPIL_TAG 890s/0h of 284851 corpus (112429s/172422h RM) 05/04/05
#counts SARE_OBFU_LEVITRA_SPC 2723s/5h of 284851 corpus (112429s/172422h RM) 05/04/05
modified regex to try to eliminate the ham
#counts SARE_OBFU_ONLY_SPC 2750s/2h of 284851 corpus (112429s/172422h RM) 05/04/05
#counts SARE_OBFU_ONLY_TAG 897s/0h of 284851 corpus (112429s/172422h RM) 05/04/05
#counts SARE_OBFU_SPECIAL_TAG 897s/0h of 284851 corpus (112429s/172422h RM) 05/04/05
#counts SARE_OBFU_VIAGRA_SPC 4729s/5h of 284851 corpus (112429s/172422h RM) 05/04/05
modified regex to try to eliminate the ham
I hope to send the zero ham rules for full SARE mass-check in the next
day or two, and publish them within the 70_sare_obfu0.cf rule set some
time this weekend.
I have a few more rules that don't yet work but show promise...
Bob Menschel
