No, I added that after observing multiple spams with random garbage after
the closing HTML tag in the HTML body part. Presumably it was an attempt
at Bayes poison, checksum avoidance, or some other filter evasion
technique.
I'll tighten it up.
FWIW, here is the rule I use. It obviously could be better, but I haven't
noticed that it misfires.
full __GOODEHTML1 m'</html>'i
full __GOODEHTML2 m'</html>(?:\s|=0A){0,50}(?:$|--|=)'is # stop on mime
ending boundary
meta LW_BADEHTML1 (__GOODEHTML1 && !__GOODEHTML2)
describe LW_BADEHTML1 Bad ending - something after </HTML>
score LW_BADEHTML1 1