on Wed, Aug 11, 2004 at 12:34:48PM -0400, Rob McEwen wrote:
Stephen:
The following rule would have caught both of my sample spam messages. Would these catch the other spams you've seen from this spammer... or has he varied this up in other e-mails to prevent this rule (alone) from catching him:
(case sensitive) %LETTER</STRONG></BIG>,<STRONG><BIG>%LETTER</BIG></STRONG>]></FONT>
- %LETTER = a random letter
- everything else is literal
Only matched 7 out of the 100 copies I have in my corpus here.
<BIG><STRONG> matched 218 occurrences, <STRONG><BIG> matched 181 lines. Both matched 89 of the 100.
Also, I found that that domain script generated 1,300+ domains. I've decided that the added resources of checking each message for this many domains is not worth it based on how many will actually be caught. However, I might integrate this domain list "*namefromlist*.org" as a factor in a compound rule.
Well, that is, of course, why SURBL is around, right? You don't check the entire list of domains, you find domains in the body (every one I've seen has had only the one) and then check against the list.