On Mon, 7 Feb 2005 [EMAIL PROTECTED] wrote:
>
> I just created a rule for the most common spams that have been making it
> through SA, but for some reason, it's not showing up in the tests:
>
> body SEE_ATTACH /See attachment message.html/i
> describe SEE_ATTACH body contains See attachment message.html
> score SEE_ATTACH 5.0
>
> --lint shows no problems....
(replying to my own post)
I found out what the problem is, and it seems like it should be considered
a bug in SA. The text in question is in the second line of the body of
the message, and it seems it is being ignored by SA, because if I insert a
couple of LFs to move it down, the rule kicks in. I had tried changing it
from "body" to "header" (also tried "rawbody) and that didn't work. Here
is a look at the offending message, sans the html attachment:
Return-Path: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 47948 invoked from network); 6 Feb 2005 07:17:59 -0000
Received: by simscan 1.0.7 ppid: 47553, pid: 47562, t: 29.0736s
scanners:none
Received: from unknown (HELO localhost) (213.98.12.243)
by richard2.pil.net with SMTP; 6 Feb 2005 07:17:30 -0000
Message-ID: <[EMAIL PROTECTED]>
From: "Halpern Helen"<[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Reply-To: "Halpern Helen"<[EMAIL PROTECTED]>
Subject: 75% Off for All New Software.
Date: dom, 06 feb 2005 08:17:22 +0100
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2730.2
X-Sender: "Halpern Helen"<[EMAIL PROTECTED]>
Content-Type: multipart/mixed;
boundary="------------56L352DTUJU4N2"
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail.pil.net
X-Spam-Status: No, score=3.8 required=6.0
tests=BAYES_00,FORGED_YAHOO_RCVD,
INVALID_DATE,RCVD_IN_BL_SPAMCOP_NET autolearn=no version=3.0.2
X-Spam-Level: ***
Parts/Attachments:
1 Shown 1 lines Text
2 OK ~23 KB Text
----------------------------------------
See attachment message.html
[ Part 2, Text/HTML (Name: "message.html") 1 lines. ]
[ Not Shown. Use the "V" command to view or save this part. ]
