The first rule I posted below is broken. I've have improved it
significantly with some more testing and verification if someone wants to
mass-check it.
header BAD_MSG_ID1 Message-Id =~
/^<.*([-\$]{3}|[\$]{2}|[.]{2}|[\\]{2}).*>$/
describe BAD_MSG_ID1 Message-Id contains common spam signs.
score BAD_MSG_ID1 2.0
[EMAIL PROTECTED] wrote on 02/04/2004 12:54:46 PM:
>
>
>
>
> Looking at my own message ids for the past month, I see that the pattern
of
> two or more $ in a row only occurs in spam, and occurs regularly. Also
> three or more - in a row seems to only occur in spam, but is much less
> regular. With just over 400000 spam, 5000 match the 2 or more $ rule and
> 660 match the three or more - rule. However both of these types of spam
> generally score over 45 with most of the custom rulesets from this list
> active, bayes and network tests on. In more restrictive environments
though
> testing for these could yield good results.
>
> The following is untested, possibly inaccurate and probably inefficient.
>
> header BAD_MSG_ID1 Message-Id =~ /^<.*([$]{2,}|[-]{3,}).*>$/
> describe BAD_MSG_ID1 Message-Id contains 2+ $ or 3+ - in a row
> score BAD_MSG_ID1 2.0
>
>
>
