Scott, It pains me to suggest making your todo list longer but how about adding test grouping? It would be to much to make multiple weight scales, but how about something simpler. Say you wanted to make 3 groups of 3 each. Label one of the option columns in such a way that they can be grouped:
Group1 G1 x x 0 0 Group2 G2 x x 0 0 Group3 G3 x x 0 0 BADHEADERS badheaders G1 x 0 0 BASE64 base64 G1 x 0 0 HELOBOGUS helovalid G1 x 0 0 MAILFROM envfrom G2 x 0 0 IPNOTINMX ipnotinm G2 x 0 0 PERCENT percent G2 x 0 0 REVDNS revdnsexists G3 x 0 0 ROUTING spamrouting G3 x 0 0 SPAMHEADERS spamheaders G3 x 0 0 Sub tests could be duplicated to run solo and in a group or not to run only in a group. Groups could be hit only in action files ($default) or have weights (being "tests" of their own). We could then build profiles, adding all the different behaviors paricular spams share, regardless of which tests define those behaviors. I would love, for example, to combine an IPFILE listing US broadband IPs with NONENGLISH. Dan On Wednesday, September 10, 2003 16:57, Dan Patnode <[EMAIL PROTECTED]> wrote: >FYI, I pulled this test 3 weeks ago after a email from France >came through (or rather didn't) with this subject: > >Subject: >=?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= > >There's definitely is a correlation here among spammers, ?B? >encoded subjects, disposable domain names, and nothing else in >the body of the message. There has to be a way to bring the 2 >or 3 variables togther as a super test. > > >Dan > > >On Monday, September 8, 2003 19:05, Matthew Bramble <[EMAIL PROTECTED]> wrote: >>Use a text filter and add something like: >> >> SUBJECT 40 CONTAINS =?ISO-8859-1?b? >> >> to it. >> >> I tried this all the way down to ust ?b? and a SUBJECT filter >>didn't catch it. The SUBJECT filter also doesn't catch the >>decoded text. >> >> I found though that if you use the HEADERS filter, it will >>catch this (customize to suit, this will only catch Latin-1 >>that is base64 encoded, and I can't think of why that would be >>necessary, I would think that only other charactersets could >>need this): >> >> HEADERS 10 CONTAINS ISO-8859-1?B? >> >> Neither the HEADERS filter nor the SUBJECT filter is catching >>the decoded form of the text. The BASE64 test is also not >>catching this if it's only in the Subject of the message (I >>assume it only does the body/attachments). >> >> The not so funny thing is that I'm getting this now as a part >>of those E-mails containing no displayable text. This guy is >>real good at getting through my settings unless he chooses a >>bad IP to send from. I think a few days ago, another person on >>this list commented about this same spammer, bringing up the >>domains that he is using (common words followed by numbers). >>The only pattern this guys leaves apart from having no text in >>the body, is having different country's TLDs listed in the >>Received line, the sender, and the reverse DNS. Here's a copy >>of what I just received using this technique (with links >>modified): >> >> >>From - Mon Sep 08 17:36:44 2003 >>X-UIDL: 314612976 >>X-Mozilla-Status: 0011 >>X-Mozilla-Status2: 00000000 >>Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP >> (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 >>Date: Mon, 08 Sep 2003 21:35:35 +0000 >>Message-ID: <[EMAIL PROTECTED]> >>X-Mailer: Windows Eudora Pro Version 2.2 (32) >>To: [EMAIL PROTECTED] >>Subject: >>=?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= >>MIME-Version: 1.0 >>From: "Shirley Dalton" <[EMAIL PROTECTED]> >>Content-Type: text/html >>Content-Transfer-Encoding: 8bit >>X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] >>X-Declude-Spoolname: Df62404f101d89e2c.SMD >>X-Note: This E-mail was scanned by iGaia Incorporated's E-mail >>service (www.igaia.com) for spam. >>X-Note: This E-mail was sent from >>host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). >>X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1] >>X-RCPT-TO: <[EMAIL PROTECTED]> >>Status: U >>X-UIDL: 314612976 >> >><html><body> >><center><!--lfoln42j66--><a >>href="http://www-dot-payment33dd-dot-com/host/default.asp?ID=omni"><img >>src="http://discountrate2-dot-com/pics/gv1.gif" height="270" >>width="405"></a></center> >></html></body> >> >> > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.