On Sep 26, 2019, at 10:18 AM, John Hardin <jhar...@impsec.org> wrote: > > Some of those are following a pattern I've recently noticed - fairly > obviously bogus spamvertising domain URLs with some .gov URLs thrown in as > well. I'm assuming that's an attempt to leverage naïve domain whitelisting. > One has a Humane Society URL, I presume the goal is similar.
Although they may not be in the spamples I provided, I've also seen .edu links. And in today's spam I got a .gov.on.ca <http://gov.on.ca/> link. So we might need some variants, but then again, I suspect these will require a lot of tuning to guard against FPs. My new AC_ rules (particularly AC_LARGE_INDENT and AC_POST*EXTRAS) do really well locally, but not so much in masscheck ... but they hit otherwise very low-scoring spam. I would request that someone more talented than I am look at tuning those against FPs, if they are willing... Cheers. --- Amir