On Fri, 2009-01-23 at 07:56 -0800, Dennis Hardy wrote:
> Hi, I'm getting hammered by snowshoe spam :-(  I've added rules to try to
> catch common formats of included URLs in the spam, but I'm wary of scoring
> these rules too high because of the potential for false positives.  It's
> hard to come up with other rules as the spam e-mail content is so generic. 
> By default these spams score incredibly low (bayes, etc.)  In many cases,
> the low bayes values are scoring negative, which completely offsets the few
> positive scoring rules that I have added.

I've been using this rule to knock some of these down:
uri AE_ASM                      /\/[[:alpha:]]{28,40}$/
describe AE_ASM                 long gibberish path used by ASM Marketing
score AE_ASM                    1

Highly unusual to have a url like that in ham...
I'm running a meta to bump up the score...

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com

Reply via email to