Hello Marcio, Tuesday, December 2, 2003, 3:12:04 AM, you wrote:
>> header RM_hr_VirtuaComBr Received =~ /virtua\.com\.br/ >> describe RM_hr_VirtuaComBr Spam passed through relay known to be used by spammers >> score RM_hr_VirtuaComBr 1.690 # 69s/0h of 63143 corpus MM> You may want to add dsl.telesp.net.br here. It is a bigger spam MM> source than virtua. BEWARE: There is ham coming from there also, but MM> mostly spam. Thanks for the tip/recommendation. In the 2.60 distribution I find > header FORGED_TELESP_RCVD Received =~ /\.(?!br).. > \(\d+-\d+-\d+-\d+\.dsl\.telesp\.net\.br / > describe FORGED_TELESP_RCVD Contains forged hostname for a DSL IP in Brazil > score FORGED_TELESP_RCVD 2.900 2.800 2.800 2.700 Possibly because of that latter rule, I've never seen the need to generate a Received rule for telesp.net.br Testing FORGED_TELESP_RCVD against the simpler Received rule for all of dsl.telesp.net.br with my corpus, I find: > RM_hr_VirtuaComBr -- 69s/0h of 63137 corpus (my rule above) > FORGED_TELESP_RCVD -- 1s/0h of 63137 corpus (2.60 distribution) > RM_hr_telesp -- 281s/0h of 63137 corpus So it looks like your recommendation has some value. The rule I tested was: > header RM_hr_telesp Received =~ /dsl\.telesp\.net\.br/ > describe RM_hr_telesp Spam passed through relay known to be used by spammers > score RM_hr_telesp 1.690 # 69s/0h of 63143 corpus Can it be improved? Bob Menschel ------------------------------------------------------- This SF.net email is sponsored by OSDN's Audience Survey. Help shape OSDN's sites and tell us what you think. Take this five minute survey and you could win a $250 Gift Certificate. http://www.wrgsurveys.com/2003/osdntech03.php?site=8 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk