From: "David B Funk" <[EMAIL PROTECTED]>
On Tue, 15 Aug 2006, Craig Baird wrote:
[snip..]
The other type of spam I'm seeing are empty messages. They have a single word
for a subject, but nothing in the body. About a year ago, I was getting
flooded with these, and I solved the problem by using the SARE_HTML_NO_BODY
rule from 70_sare_html4.cf. However, this rule does not seem to hit on this
recent crop of empty messages. I have no idea why.
Is anyone else seeing these, and more importantly, does anyone have a rule for
them?
I've been seeing floods of these critters recently, I assume that it's
some ratware misfire.
Here's what works for me:
# must use 'rawbody' as 'body' also includes Subject: header text
# see if message rawbody contains at least -one- non-blank character
rawbody __MSG_RAW_EXISTS /\S/
# Nope, declare the message to be missing the body
meta L_MISSING_BODY ! __MSG_RAW_EXISTS
describe L_MISSING_BODY Message body empty
score L_MISSING_BODY 0.5
# if they didn't give us a message body and are from a bad place, hit them
# hard.
#
meta L_MISSING_BODY2 ( L_MISSING_BODY && ( RCVD_IN_MAPS_DUL || L_RCVD_IN_XBL ||
L_RCVD_IN_DBFBL || RCVD_IN_BL_SPAMCOP_NET || RCVD_IN_SORBS || RCVD_IN_NJABL ||
RCVD_IN_NJABL_DIALUP || L_RCVD_IN_CBL || NO_DNS_FOR_FROM ))
score L_MISSING_BODY2 3.0
Betcha zero text files encoded base64 start with "R0lGODlh", the standard
GIF header.
{^_^}
