also, RCVD_FORGED_WROTE is still hitting them. (my motto: aim for the Received headers ;)
--j. Chris Santerre writes: > > -----Original Message----- > > From: Steve Lake [mailto:[EMAIL PROTECTED] > > Sent: Friday, November 10, 2006 12:52 PM > > To: users@spamassassin.apache.org > > Subject: Well, that didn't take very bloody long > > > > > > Ok, remember that "Name Wrote: :)" emails? They've > > completely > > changed. Now it's "hi username" instead. Joy, oh joy. Can > > anyone find > > any common elements in these emails because whoever this putz > > is, they're > > adapting a lot. They hit us, we adapt, they immediately > > change tactics and > > come at us again. Now with all the brilliant minds on this > > mailing list, > > we really should be able to find out who this putz is and > > nail all his > > stuff regardless of what tactic he switches to. > > Ahahaha... I went and looked at mine that are being caught. Found one of my > old rules is tagging some of these. I about spit up my NE Chowder! > > pts rule name description > ---- ---------------------- > -------------------------------------------------- > 1.2 MY_DSL Contains likely dsl address in header > 0.3 MY_HELO May be valid but catches most. > 0.1 FORGED_RCVD_HELO Received: contains a forged HELO > 1.7 SARE_MLB_Stock1 BODY: SARE_MLB_Stock1 > 1.7 SARE_MLB_Stock5 BODY: Mentions stock symbol, tickers, or OTC. > 0.6 MY_PHRS_LOW BODY: low scoring phrases found > 1.7 SARE_CSBIG BODY: Only Mexican food gives me an Explosive > Gain. > > I crack myself up! > > --Chris