Bill Cole wrote:
On 2022-02-08 at 04:28:16 UTC-0500 (Tue, 8 Feb 2022 01:28:16 -0800)
Loren Wilton <lwil...@earthlink.net>
is rumored to have said:
No, I added that after observing multiple spams with random garbage after the
closing HTML tag in the HTML body part. Presumably it was an attempt at Bayes
poison, checksum avoidance, or some other filter evasion technique.
I'll tighten it up.
FWIW, here is the rule I use. It obviously could be better, but I haven't
noticed that it misfires.
full __GOODEHTML1 m'</html>'i
full __GOODEHTML2 m'</html>(?:\s|=0A){0,50}(?:$|--|=)'is # stop on mime ending
boundary
TANGENTIAL:
I would advise against using such alternative regex syntax in rules. As you
obviously figured out, you CAN (for now...) use any valid Perl syntax for
writing a regex match, but I do not believe that we want to bless that as
something which will never break.
Maybe it's just inexperience with deep regex voodoo, but I'm not seeing
anything odd in those.
Are you talking about the use of m'' as the regex delimiter?
-kgd