uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/ rawbody __IMG_SRC_CID /<img src=\"cid:\d/
meta ADB_CPN_ABUSE __ADB_CPN_LINK && __IMG_SRC_CID describe ADB_CPN_ABUSE Possible malware link score ADB_CPN_ABUSE 2.5000 Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective, it can be false positive. Since I don't have visibility into all headers, consider create rules based on specific headers or other rule that match these. Append these rules to the meta-rule and boost the overall score accordingly. Jimmy On Tue, Dec 12, 2023 at 5:53 PM natan <na...@epf.pl> wrote: > Hi > I have a SpamAssassin version 3.4.6 > > And I try resolv two problem > > 1)I put eml with spam and learn SA like: > sa-learn --spam /root/spamik/ > > In /root/spamik/ is 4 e-mail > Worsk great but after 7 day i must learn agin like SA forgot what he > learned > > 2)I have a problem with one type a spam like: > https://paste.debian.net/1300865/ > beacuse: > contents - random > from - random > IP - random > > The construction is only somewhat similar like base64 + html and png > All wass signed by DKIM > > And I had to work around it in the following way but it is not a solution > > rawbody EMAIL_20231207 /(necessary to delete the message > completely|email message and any attachments are intended|automatically > archived by Mimecast|sender and take the steps necessary)/i > describe EMAIL_20231207 Spam fake IQ password > score EMAIL_20231207 2 > > rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ > score EMAIL_20231207_1 0.1 > rawbody EMAIL_20231207_2 > /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ > meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && > KAM_HTML_FONT_INVALID && MIME_HTML_ONLY > score EMAIL_20231207_ALL 2 > > Any idea ? > > > > -- >