Hi,
I'm having trouble catching spam with short body's, typically just a URL,
sometimes with also some junk text. I've been using a rule developed with
KAM some time ago, but not sure if something's changed, or the rule never
worked as I expected, but it's having problems, and I hoped someone could
help.
body __RB_GT_200 /^.{201}/s
meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200
meta __RB_LE_200 !__RB_GT_200 # less or equal IFF not greater
mimeheader __MIME_IMAGE Content-Type =~ /^image\/./
mimeheader __MIME_ATTACH Content-Disposition =~ /^attachment/
meta LOC_SHORT ((__BODY_LE_200 && __HAS_HTTP_URI) &&
(!(__MIME_IMAGE || __MIME_ATTACH )))
describe LOC_SHORT Has URI and short body
score LOC_SHORT 1.1
Here's a pastebin example, which clearly isn't a short body. It's catching
a ton of false-positives. Is it possible the rule is not properly
distinguishing the "multi-part message in MIME format" short body with the
actual message? There are other cases where there isn't the "multi-part
MIME" section and it's still being tagged.
http://pastebin.com/JnCHUtqV
Thanks,
Alex
