On Tue, 2008-12-23 at 15:42 -0500, Christopher X. Candreva wrote: > I have one particular user being hammered by porn spam from freemail > accounts, mostly Yahoo and live.com . These are getting by existing > rules, including 70_sare_adult_cf . > You may find this following approach. Its aim is to flag up spam from the likes of Yahoo and Google without generating FPs by using metarules, which IME are easier to make very selective than is possible with rules based on a single, complex regex.
I've accumulated a set of subrules that match characteristic words, phrases or URIs in the message body and another set of subrules that fire for messages from known spam nests such as live.com, Google and Yahoo: all subrules should have a very low score or have a double underscore prefix to suppress the score. Using a low score makes debugging easier than using the prefix because subrules that fire appear in the X-Spam headers. I combine them into scoring meta-rules. These are easy to make very specific and can safely carry fairly high scores. Be sure to accumulate a corpus of test messages and to regression test new or modified rules against the complete corpus to make sure they only fire on the expected messages. I'm using a similar approach to trap listserv messages that punt livespace websites. I hope this gives you some useful ideas. Martin
