I seem to remember we discussed a way to figure out how much HTML comment is
in a message, but I am not able to find a decent ruleset that is trying to
count the amount of comment.
Let me elaborate with an example: http://pastebin.com/AS6kvLH2
I do realize the spamvertized site (way way down
Let me elaborate with an example: http://pastebin.com/AS6kvLH2
1.0 RCVD_IN_CSSRBL: Received via a relay in Spamhaus CSS
[64.120.212.26 listed in zen.spamhaus.org]
1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
Benny Pedersen wrote:
1.0 RCVD_IN_CSSRBL: Received via a relay in Spamhaus CSS
1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
[URIs: universmallmail.com]
seems wasted :)
As I said, sure they are in RBL now.
As I said, sure they are in RBL now. They were not when this message
was
delivered. That's the whole point of coming up with a diffent
approach here,
the amount of comment in the message.
i got bayes_99 on this unknown spam
meta SPF_SPAM_AS_NEUTRAL (SPF_NEUTRAL SPF_HELO_NEUTRAL)
and set
On 2/6/2012 12:57 PM, Mynabbler wrote:
As I said, sure they are in RBL now. They were not when this message was
delivered.
Looking at the date/time stamps, I'm almost positive that this URI was
blacklisted in BOTH uribl-BLACK and ivmURI *hours* before your sample
message arrived.
But, of
On Mon, 6 Feb 2012, Benny Pedersen wrote:
As I said, sure they are in RBL now. They were not when this message was
delivered. That's the whole point of coming up with a diffent approach
here,
the amount of comment in the message.
i got bayes_99 on this unknown spam
meta
But, of course, your question is till valid! Having rules in place in
SA
to deal with this kind of attempt at getting around bayes-filtering
is a
good idea!
imho bayes does not see html comments, but still here it got bayes_99
what did i miss ?
On Mon, 2012-02-06 at 09:57 -0800, Mynabbler wrote:
As I said, sure they are in RBL now. They were not when this message was
delivered. That's the whole point of coming up with a diffent approach here,
the amount of comment in the message.
Something like this might work:
body __SR1
body __SR1 /html\s{0,2}!--/
body __SR2 /--\s{0,2}body/
does not work since body rules strip html comments
with rawbody it ignore limits but hits on both