Anyone else seeing anything like this:
http://www.deepnet.cx/~kdeugau/hotmail-spam.eml
slipping through?
Bayes is about the only thing I see getting any kind of ongoing handle
on these (and that, BAYES_60 is a reason to celebrate) - the only
content worth matching with more static rules is the URL. Some examples
have words or phrases in the Subject: or body that could be scored low
as porn-phrases, but most don't.
DNSBLs are pretty much useless, since the message *was* legitimately
relayed in from Hotmail.
A couple of times I've seen enough examples with similar enough URLs to
create a uri rule something like:
uri MISC_INFO m|https?://rita..sa..ly\.info/?$|
but the latest batch vary too much.
-kgd
