I've written a couple of rules for myself which seems to catch the stock GIF spams I receive fairly well. I've attached them here for your perusal. I don't claim to be an expert in regex so they may not be the best way to write such a rule, but they work for me! But you should score them according to your own needs. I find in my own setup that Bayes always gives a negative score to these spams due to the random text they have at the end of them, so I actaully score these two rules of mine much higher to counter that.
Incidentally, none of the GIF stock spams I've received have a subject in the form of "Fw: 12345" (with digits) as I think a previous poster mentioned. The subjects of the ones I receive all vary, but contain words like "penny stox" or "microcap" or other easily identifiable phrases. Actaully I would love to find a way to write these rules of mine using "rawbody" instead of "full". But I can't figure out how to get that to work. I think it's because rawbody only checks the message one line at a time, right? Whereas my rules are trying to search across multiple lines. Is there any way around that? Eg. using /m (multi-line mode) or /s (single-line mode)? Are those two modes even allowed to be used with rawbody, or not? I would love to be able to write a rule that can search across multiple lines (ie. including line breaks), but which does decode the message from quoted-printable or base64 first, which the "full" rule types do not do. But perhaps this is not possible. Cheers, Jeremy
"Shawn R. Beairsto" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] I'm getting hammered by these as well, usually scoring below 2 points. I'mrunning most of the standard SARE rules (including SARE_STOCKS). Any advice?Bayes training has (so far) been ineffective. -Shawn -----Original Message----- From: Chris Conn [mailto:[EMAIL PROTECTED] Sent: Friday, February 24, 2006 11:35 AM To: users@spamassassin.apache.org Subject: GIF stock spams Hello, Has anyone written any rules to catch the following types of spam http://nisk.creenet.com/~cconn/sa/They consist of a few lines of text (sometimes), and a .gif attachment thatis in fact some penny stock being pushed. Thanks in advance,Chris
stockspam.cf
Description: Binary data