A couple days ago, I wrote: > Some archive searching has revealed that multi-line matching isn't > available yet. Is there another way to rework this rule that I'm > missing, using meta rules perhaps? It would single-handedly get a lot of > spam that I get, which is consistantly of the form of three "ambiguous > product pitch:\nurl\n\n"s. My email address appears in the third URL, > and the first two are mostly numeric. What ultimately worked was to make several low-scoring (ie, .01) rules to catch specific characteristics of the email (which each have occasional false positives), especially the included URLs, and then one heavyweight meta rule if 5 or more of those rules matched. This would probably be effective for most spam types that use a specific subset of common ham words, such as testing for several matches out of "browser", "cache", 'significant other' terms, website(s) visit(ed), hard drive, history, watched/tracked, and so on to catch history/cache deleting sofware spam.
Hope this is helpful. sckot Vokes -- "I wish I had a 2 liter of Pepsi in my box of replacement staples, so if they needed to quench their thirst, then they could ride the snake." -Kefka P ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk