[EMAIL PROTECTED] writes: > >> Hello list, > >> For your consideration: > >> > >> header __MULTIPART_RELATED Content-Type =~ /multipart\/related/ > >> > >> meta OE_MULTIPART_RELATED (__OE_MUA && __MULTIPART_RELATED) > >> describe OE_MULTIPART_RELATED Possible image spam forged as from MS Outlook > >> > >> The false Positive rate on my corpus is 0.1%. I can't tell you about the > >> false > >> negative rate since I don't keep my spam (only my ham).
> >> This rule works very well on the pump-and-dump image spam that has > >> been escaping my spamassassin installation for the last few months. > >> Although Outlook Express is capable of generating messages with > >> multipart/related MIME type, it only does that if the user creates an > >> HTML message with inline images. This happens occasionally but rarely > >> (hence the 0.1%). I expect the perceptron might give this rule a > >> score of perhaps +0.5, which is not enough to catch the pump-and-dump > >> image spam by itself, but works well in conjunction with > >> Mail::SpamAssassin::Plugin::ImageInfo. > >> > >> Thoughts on this rule? > >> > >> --Ian Turner > >> > > Hi Ian, > > this would trap mail using outlook "stationery". > > I dont really like it, but I get it in wanted mail. Generally I believe > that rules scoring valid use of mail (cid addressing, mime types) should > be avoided - unless you want to block, e.g., mails with images or mails > sent from outlook generally Rather try to find a subtle difference in > the way real outlook builds the message and the spammers do it, that > would really reveal it is not from outlook Yeah -- +1. --j.