On Fri, 2013-03-01 at 15:38 +0000, Scott Ostrander wrote: > Would someone put some samples of Yahoo single link spam on PasteBin. > I am trying to test my rules and I seem to be missing some of the variations. > Here's an example: it is the message I developed the following rule against: http://pastebin.com/VRvtDfER
I've obfuscated all e-mail addresses in it and verified that my rule catches the obfuscated version. The rule is this: describe MG_YAHOO_FS Yahoo message-ID but not From: yahoo header __MG_YAHFS1 Message-id =~ /yahoo\.com>$/ header __MG_YAHFS2 From =~ /yahoo\.(com|co\.uk)/ meta MG_YAHOO_FS (__MG_YAHFS1 && ! __MG_YAHFS2) score MG_YAHOO_FS 50 as I said previously, the apparently excessive score is needed to override the score that my auto-whitelister applies to sender addresses I've previously sent mail to: so far all messages I've had of this type have had forged senders that I've previously corresponded with. Martin