Lots of comment in mail, how to score

2012-02-06 Thread Mynabbler
I seem to remember we discussed a way to figure out how much HTML comment is in a message, but I am not able to find a decent ruleset that is trying to count the amount of comment. Let me elaborate with an example: http://pastebin.com/AS6kvLH2 I do realize the spamvertized site (way way down

Re: Lots of comment in mail, how to score

2012-02-06 Thread Benny Pedersen
Let me elaborate with an example: http://pastebin.com/AS6kvLH2 1.0 RCVD_IN_CSSRBL: Received via a relay in Spamhaus CSS [64.120.212.26 listed in zen.spamhaus.org] 1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net

Re: Lots of comment in mail, how to score

2012-02-06 Thread Mynabbler
Benny Pedersen wrote: 1.0 RCVD_IN_CSSRBL: Received via a relay in Spamhaus CSS 1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: universmallmail.com] seems wasted :) As I said, sure they are in RBL now.

Re: Lots of comment in mail, how to score

2012-02-06 Thread Benny Pedersen
As I said, sure they are in RBL now. They were not when this message was delivered. That's the whole point of coming up with a diffent approach here, the amount of comment in the message. i got bayes_99 on this unknown spam meta SPF_SPAM_AS_NEUTRAL (SPF_NEUTRAL SPF_HELO_NEUTRAL) and set

Re: Lots of comment in mail, how to score

2012-02-06 Thread Rob McEwen
On 2/6/2012 12:57 PM, Mynabbler wrote: As I said, sure they are in RBL now. They were not when this message was delivered. Looking at the date/time stamps, I'm almost positive that this URI was blacklisted in BOTH uribl-BLACK and ivmURI *hours* before your sample message arrived. But, of

Re: Lots of comment in mail, how to score

2012-02-06 Thread Dave Funk
On Mon, 6 Feb 2012, Benny Pedersen wrote: As I said, sure they are in RBL now. They were not when this message was delivered. That's the whole point of coming up with a diffent approach here, the amount of comment in the message. i got bayes_99 on this unknown spam meta

Re: Lots of comment in mail, how to score

2012-02-06 Thread Benny Pedersen
But, of course, your question is till valid! Having rules in place in SA to deal with this kind of attempt at getting around bayes-filtering is a good idea! imho bayes does not see html comments, but still here it got bayes_99 what did i miss ?

Re: Lots of comment in mail, how to score

2012-02-06 Thread Martin Gregorie
On Mon, 2012-02-06 at 09:57 -0800, Mynabbler wrote: As I said, sure they are in RBL now. They were not when this message was delivered. That's the whole point of coming up with a diffent approach here, the amount of comment in the message. Something like this might work: body __SR1

Re: Lots of comment in mail, how to score

2012-02-06 Thread Benny Pedersen
body __SR1 /html\s{0,2}!--/ body __SR2 /--\s{0,2}body/ does not work since body rules strip html comments with rawbody it ignore limits but hits on both