Hello Mike,
Tuesday, May 25, 2004, 10:47:32 AM, you wrote:
MH> I have been seening a fair amount of the following in spam:
MH> X-Authentication-Warning: ANdhzoll05
MH> ...
MH> It appears to be uppercase 2 to 5, lowercase 5 to 7, & 2 digits
MH> header CSL_X_AUTH_WARN_1 exists:X-Authentication-Warning
MH> describe CSL_X_AUTH_WARN_1 X-Message-Info header found
MH> score CSL_X_AUTH_WARN_1 0.5
The X-Authentication-Warning itself is valid and common in ham. IMO this
Exists rule won't help. However:
MH> header CSL_X_AUTH_WARN_2 X-Authentication-Warning =~
/\b[A-Z]{2,5}[a-z]{5,7}[0-9]{2}\b/
MH> describe CSL_X_AUTH_WARN_2 X-Authentication-Warning: Contains Spam
Signature.
MH> score CSL_X_AUTH_WARN_2 4.5
looks good, and hits 29 spam, 0 ham, here.
I've been using Loren's
header LW_AUTH_WARN X-Authentication-Warning =~ /^(?:[a-z]{4,20}[\-\.\,]?
){2,8}/ # no /i, trailing space
describe LW_AUTH_WARN Fake X-Authentication-Warning header
score LW_AUTH_WARN 3.000
#counts LW_AUTH_WARN 416s/0h of 115937 corpus (94614s/21323h) 04/29/04
I'm going to add your rule right next to that one.
Bob Menschel
