These rules should matched rawbody __DOUBLE_HTML /<\/a><html></p>\s*<body><html>/ uri __LONG_LINK_URL /https?:\/\/.{50,128}\.[a-z]{2,}\/\.[a-z]{2,}\//i
On Tue, Dec 12, 2023 at 8:44 PM natan <na...@epf.pl> wrote: > Hi > Thenx but link is random too like: > > https://paste.debian.net/1300874/ > > > W dniu 12.12.2023 o 12:21, Jimmy pisze: > > > uri __ADB_CPN_LINK /\.campaign\.adobe\.com\/r\/\?/ > rawbody __IMG_SRC_CID /<img src=\"cid:\d/ > > meta ADB_CPN_ABUSE __ADB_CPN_LINK && __IMG_SRC_CID > describe ADB_CPN_ABUSE Possible malware link > score ADB_CPN_ABUSE 2.5000 > > Establishing a rule for "CONFIDENTIALITY NOTICE" is ineffective, it can be > false positive. Since I don't have visibility into all headers, consider > create rules based on specific headers or other rule that match these. > Append these rules to the meta-rule and boost the overall score accordingly. > > Jimmy > > > On Tue, Dec 12, 2023 at 5:53 PM natan <na...@epf.pl> wrote: > >> Hi >> I have a SpamAssassin version 3.4.6 >> >> And I try resolv two problem >> >> 1)I put eml with spam and learn SA like: >> sa-learn --spam /root/spamik/ >> >> In /root/spamik/ is 4 e-mail >> Worsk great but after 7 day i must learn agin like SA forgot what he >> learned >> >> 2)I have a problem with one type a spam like: >> https://paste.debian.net/1300865/ >> beacuse: >> contents - random >> from - random >> IP - random >> >> The construction is only somewhat similar like base64 + html and png >> All wass signed by DKIM >> >> And I had to work around it in the following way but it is not a solution >> >> rawbody EMAIL_20231207 /(necessary to delete the message >> completely|email message and any attachments are intended|automatically >> archived by Mimecast|sender and take the steps necessary)/i >> describe EMAIL_20231207 Spam fake IQ password >> score EMAIL_20231207 2 >> >> rawbody EMAIL_20231207_1 /FONT\-FAMILY\:Arial/ >> score EMAIL_20231207_1 0.1 >> rawbody EMAIL_20231207_2 >> /BORDER-LEFT\:0\;MARGIN\:0\;PADDING-RIGHT\:0\;BACKGROUND\-COLOR\:white\;font\-stretch\:inherit/ >> meta EMAIL_20231207_ALL IQ_EMAIL_20231207_1 && IQ_EMAIL_20231207_2 && >> KAM_HTML_FONT_INVALID && MIME_HTML_ONLY >> score EMAIL_20231207_ALL 2 >> >> Any idea ? >> >> >> >> -- >> > > > > -- >