I had several false positives today based on the BAD_X_HEADERS rule. I'm
using the rules from Chris' site (Nov02). The legitimate emails had an
X-URL header. All of the FPs where from a single mailing list. For what
ever reason, they are providing a valid link to some content within this
]
Subject: RE: [SAtalk] [RD] simple rule for consumption
Nope these are bogus. I have seperate rules for them in the last Rule
Emporeum update. I used seperate, as they often are seen in pairs. Although
I didn't tag X-Email, because I'm not sure about that one.
X-Email: is pretty spammy for me
-Original Message-
From: Regis Wilson [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 22, 2003 1:14 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [SAtalk] [RD] simple rule for consumption
*snip*
Writing rules is fun!
Why do you think I run 2000
Nope these are bogus. I have seperate rules for them in the last Rule
Emporeum update. I used seperate, as they often are seen in pairs. Although
I didn't tag X-Email, because I'm not sure about that one.
X-Email: is pretty spammy for me, so it is in there. I grepped my corpus for
X-headers and
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chris
Santerre
Sent: Wednesday, October 22, 2003 8:21 AM
To: 'Regis Wilson'; [EMAIL PROTECTED]
Subject: RE: [SAtalk] [RD] simple rule for consumption
Nope these are bogus. I have seperate rules for them
Nope these are bogus. I have seperate rules for them in the last Rule
Emporeum update. I used seperate, as they often are seen in pairs. Although
I didn't tag X-Email, because I'm not sure about that one.
--Chris Santerre
-Original Message-
From: Regis Wilson [mailto:[EMAIL PROTECTED]