I have seen a few posts with people complaining about spam from gmail (often linking to blogspot pages) which no existing rules catch, and have had a number of these myself. This is only a small fraction of the spam I am seeing, but it is anoying none-the-less!
NOTE: I am not a particulally good rule writer and there are probably a lot more elegant ways of doing this! Feel free to make suggestions and improvements and to use how you will. The easiest way that I can see to catch these emails is to combine a number of existing rules and to add a couple of new rules which look for specific things: Existing rules used: FreeMail.pm Plugin ChickenPox.cf New Rule 1 - Find all emails which link to a free blog site: uri FHS_FREEBLOG /(?:spaces\.msn\.com|blogeasy\.com|easyjournal\.com|multiply\.com|blog-city\.com|blogharbor\.com|bloghi\.com|bloghorn\.com|blogspirit\.com|blogsource\.com|ebloggy\.com|pitas\.com|blogger\.de|blogsome\.com|weblogs\.us|wordpress\.com|wpblogs\.com|blogthing\.com|globbo\.org|theblog\.cc|learnerblogs\.org|uniblogs\.org|edublogs\.org|hrblogs\.org|beblogger\.com|evilsupergenius\.net|blogcafe\.com|blogspot\.com|weblogs\.hu|weblogs\.cz|blogs\.ro|weblogs\.pl|blogs\.fi|blogs\.no|blogs\.dk|blogs\.se|blog\.com|blog\.de|blog\.co\.uk|blog\.ca|freewebs\.com|livejournal\.com|20six\.co\.uk|xanga\.com|aeonity\.com|bloggercrab\.com|upsaid\.com|diaryland\.com|blogs\.ie|modblog\.com|efx2\.com|blogdrive\.com|tblog\.com|blogcult\.com|seo-blog\.com|quickblog\.org|diary-x\.com|blurty\.com|upsaid\.com|bloggercrab\.com|blogghost\.com)/i describe FHS_FREEBLOG Contains a link to a free blog. score FHS_FREEBLOG 0.001 New Rule 2 - Look for a propper html link in the email (i.e. long url and short description): rawbody FHS_LINK /\<a.href[^>]{20,50}\>[^<]{6,15}\<\/a/i describe FHS_LINK Contains a long URL with a short description - a well written link score FHS_LINK 0.001 Now consider that people who send messages from a free email address are very unlikely to go to the trouble of using a properly formatted link in their email (they will just copy and past the url): meta FREEMAIL_LINK_BLOG (FREEMAIL_FROM && FHS_LINK && FHS_FREEBLOG) describe FREEMAIL_LINK_BLOG From a freemail address and includes a well written link to a blog score FREEMAIL_LINK_BLOG 2.0 The next thing I noticed was that most of these emails hit various bits of the chickenpox.cf ruleset so I created a set of meta rules to count how many of these were hit, and then combined this with the freemail rules: meta FHS_COUNT_CHICKENPOX_3 (( J_CHICKENPOX_12 + J_CHICKENPOX_13 + J_CHICKENPOX_14 + J_CHICKENPOX_15 + J_CHICKENPOX_16 + J_CHICKENPOX_17 + J_CHICKENPOX_18 + J_CHICKENPOX_19 + J_CHICKENPOX_110 + J_CHICKENPOX_111 + J_CHICKENPOX_21 + J_CHICKENPOX_22 + J_CHICKENPOX_23 + J_CHICKENPOX_24 + J_CHICKENPOX_25 + J_CHICKENPOX_26 + J_CHICKENPOX_27 + J_CHICKENPOX_28 + J_CHICKENPOX_29 + J_CHICKENPOX_210 + J_CHICKENPOX_31 + J_CHICKENPOX_32 + J_CHICKENPOX_33 + J_CHICKENPOX_34 + J_CHICKENPOX_35 + J_CHICKENPOX_36 + J_CHICKENPOX_37 + J_CHICKENPOX_38 + J_CHICKENPOX_39 + J_CHICKENPOX_41 + J_CHICKENPOX_42 + J_CHICKENPOX_43 + J_CHICKENPOX_44 + J_CHICKENPOX_45 + J_CHICKENPOX_46 + J_CHICKENPOX_47 + J_CHICKENPOX_48 + J_CHICKENPOX_51 + J_CHICKENPOX_52 + J_CHICKENPOX_53 + J_CHICKENPOX_54 + J_CHICKENPOX_55 + J_CHICKENPOX_56 + J_CHICKENPOX_57 + J_CHICKENPOX_61 + J_CHICKENPOX_62 + J_CHICKENPOX_63 + J_CHICKENPOX_64 + J_CHICKENPOX_65 + J_CHICKENPOX_66 + J_CHICKENPOX_71 + J_CHICKENPOX_72 + J_CHICKENPOX_73 + J_CHICKENPOX_74 + J_CHICKENPOX_75 + J_CHICKENPOX_81 + J_CHICKENPOX_82 + J_CHICKENPOX_83 + J_CHICKENPOX_84 + J_CHICKENPOX_91 + J_CHICKENPOX_92 + J_CHICKENPOX_93 + J_CHICKENPOX_101 + J_CHICKENPOX_102 ) > 2) describe FHS_COUNT_CHICKENPOX_3 Three or more odd character combinations score FHS_COUNT_CHICKENPOX_3 0.1 meta FHS_COUNT_CHICKENPOX_5 (( J_CHICKENPOX_12 + J_CHICKENPOX_13 + J_CHICKENPOX_14 + J_CHICKENPOX_15 + J_CHICKENPOX_16 + J_CHICKENPOX_17 + J_CHICKENPOX_18 + J_CHICKENPOX_19 + J_CHICKENPOX_110 + J_CHICKENPOX_111 + J_CHICKENPOX_21 + J_CHICKENPOX_22 + J_CHICKENPOX_23 + J_CHICKENPOX_24 + J_CHICKENPOX_25 + J_CHICKENPOX_26 + J_CHICKENPOX_27 + J_CHICKENPOX_28 + J_CHICKENPOX_29 + J_CHICKENPOX_210 + J_CHICKENPOX_31 + J_CHICKENPOX_32 + J_CHICKENPOX_33 + J_CHICKENPOX_34 + J_CHICKENPOX_35 + J_CHICKENPOX_36 + J_CHICKENPOX_37 + J_CHICKENPOX_38 + J_CHICKENPOX_39 + J_CHICKENPOX_41 + J_CHICKENPOX_42 + J_CHICKENPOX_43 + J_CHICKENPOX_44 + J_CHICKENPOX_45 + J_CHICKENPOX_46 + J_CHICKENPOX_47 + J_CHICKENPOX_48 + J_CHICKENPOX_51 + J_CHICKENPOX_52 + J_CHICKENPOX_53 + J_CHICKENPOX_54 + J_CHICKENPOX_55 + J_CHICKENPOX_56 + J_CHICKENPOX_57 + J_CHICKENPOX_61 + J_CHICKENPOX_62 + J_CHICKENPOX_63 + J_CHICKENPOX_64 + J_CHICKENPOX_65 + J_CHICKENPOX_66 + J_CHICKENPOX_71 + J_CHICKENPOX_72 + J_CHICKENPOX_73 + J_CHICKENPOX_74 + J_CHICKENPOX_75 + J_CHICKENPOX_81 + J_CHICKENPOX_82 + J_CHICKENPOX_83 + J_CHICKENPOX_84 + J_CHICKENPOX_91 + J_CHICKENPOX_92 + J_CHICKENPOX_93 + J_CHICKENPOX_101 + J_CHICKENPOX_102 ) > 4) describe FHS_COUNT_CHICKENPOX_5 Five or more odd character combinations score FHS_COUNT_CHICKENPOX_5 0.1 meta FHS_COUNT_CHICKENPOX_7 (( J_CHICKENPOX_12 + J_CHICKENPOX_13 + J_CHICKENPOX_14 + J_CHICKENPOX_15 + J_CHICKENPOX_16 + J_CHICKENPOX_17 + J_CHICKENPOX_18 + J_CHICKENPOX_19 + J_CHICKENPOX_110 + J_CHICKENPOX_111 + J_CHICKENPOX_21 + J_CHICKENPOX_22 + J_CHICKENPOX_23 + J_CHICKENPOX_24 + J_CHICKENPOX_25 + J_CHICKENPOX_26 + J_CHICKENPOX_27 + J_CHICKENPOX_28 + J_CHICKENPOX_29 + J_CHICKENPOX_210 + J_CHICKENPOX_31 + J_CHICKENPOX_32 + J_CHICKENPOX_33 + J_CHICKENPOX_34 + J_CHICKENPOX_35 + J_CHICKENPOX_36 + J_CHICKENPOX_37 + J_CHICKENPOX_38 + J_CHICKENPOX_39 + J_CHICKENPOX_41 + J_CHICKENPOX_42 + J_CHICKENPOX_43 + J_CHICKENPOX_44 + J_CHICKENPOX_45 + J_CHICKENPOX_46 + J_CHICKENPOX_47 + J_CHICKENPOX_48 + J_CHICKENPOX_51 + J_CHICKENPOX_52 + J_CHICKENPOX_53 + J_CHICKENPOX_54 + J_CHICKENPOX_55 + J_CHICKENPOX_56 + J_CHICKENPOX_57 + J_CHICKENPOX_61 + J_CHICKENPOX_62 + J_CHICKENPOX_63 + J_CHICKENPOX_64 + J_CHICKENPOX_65 + J_CHICKENPOX_66 + J_CHICKENPOX_71 + J_CHICKENPOX_72 + J_CHICKENPOX_73 + J_CHICKENPOX_74 + J_CHICKENPOX_75 + J_CHICKENPOX_81 + J_CHICKENPOX_82 + J_CHICKENPOX_83 + J_CHICKENPOX_84 + J_CHICKENPOX_91 + J_CHICKENPOX_92 + J_CHICKENPOX_93 + J_CHICKENPOX_101 + J_CHICKENPOX_102 ) > 6) describe FHS_COUNT_CHICKENPOX_7 Seven or more odd character combinations score FHS_COUNT_CHICKENPOX_7 0.1 meta FHS_COUNT_CHICKENPOX_9 (( J_CHICKENPOX_12 + J_CHICKENPOX_13 + J_CHICKENPOX_14 + J_CHICKENPOX_15 + J_CHICKENPOX_16 + J_CHICKENPOX_17 + J_CHICKENPOX_18 + J_CHICKENPOX_19 + J_CHICKENPOX_110 + J_CHICKENPOX_111 + J_CHICKENPOX_21 + J_CHICKENPOX_22 + J_CHICKENPOX_23 + J_CHICKENPOX_24 + J_CHICKENPOX_25 + J_CHICKENPOX_26 + J_CHICKENPOX_27 + J_CHICKENPOX_28 + J_CHICKENPOX_29 + J_CHICKENPOX_210 + J_CHICKENPOX_31 + J_CHICKENPOX_32 + J_CHICKENPOX_33 + J_CHICKENPOX_34 + J_CHICKENPOX_35 + J_CHICKENPOX_36 + J_CHICKENPOX_37 + J_CHICKENPOX_38 + J_CHICKENPOX_39 + J_CHICKENPOX_41 + J_CHICKENPOX_42 + J_CHICKENPOX_43 + J_CHICKENPOX_44 + J_CHICKENPOX_45 + J_CHICKENPOX_46 + J_CHICKENPOX_47 + J_CHICKENPOX_48 + J_CHICKENPOX_51 + J_CHICKENPOX_52 + J_CHICKENPOX_53 + J_CHICKENPOX_54 + J_CHICKENPOX_55 + J_CHICKENPOX_56 + J_CHICKENPOX_57 + J_CHICKENPOX_61 + J_CHICKENPOX_62 + J_CHICKENPOX_63 + J_CHICKENPOX_64 + J_CHICKENPOX_65 + J_CHICKENPOX_66 + J_CHICKENPOX_71 + J_CHICKENPOX_72 + J_CHICKENPOX_73 + J_CHICKENPOX_74 + J_CHICKENPOX_75 + J_CHICKENPOX_81 + J_CHICKENPOX_82 + J_CHICKENPOX_83 + J_CHICKENPOX_84 + J_CHICKENPOX_91 + J_CHICKENPOX_92 + J_CHICKENPOX_93 + J_CHICKENPOX_101 + J_CHICKENPOX_102 ) > 8) describe FHS_COUNT_CHICKENPOX_9 Nine or more odd character combinations score FHS_COUNT_CHICKENPOX_9 0.1 meta FREEMAIL_CHICKENPOX_3 (FREEMAIL_FROM && FHS_COUNT_CHICKENPOX_3) describe FREEMAIL_CHICKENPOX_3 From a freemail address and has three or more odd character combinations score FREEMAIL_CHICKENPOX_3 0.1 meta FREEMAIL_CHICKENPOX_5 (FREEMAIL_FROM && FHS_COUNT_CHICKENPOX_5) describe FREEMAIL_CHICKENPOX_5 From a freemail address and has five or more odd character combinations score FREEMAIL_CHICKENPOX_5 0.4 meta FREEMAIL_CHICKENPOX_7 (FREEMAIL_FROM && FHS_COUNT_CHICKENPOX_7) describe FREEMAIL_CHICKENPOX_7 From a freemail address and has seven or more odd character combinations score FREEMAIL_CHICKENPOX_7 0.3 meta FREEMAIL_CHICKENPOX_9 (FREEMAIL_FROM && FHS_COUNT_CHICKENPOX_9) describe FREEMAIL_CHICKENPOX_9 From a freemail address and has nine or more odd character combinations score FREEMAIL_CHICKENPOX_9 0.2 You could also create a meta rule that puts all of this together and basically kills (gives a very hight score to) any email from a freemail address which has a specific number of strange character combinations in it and which links with propper html to a free blog site... I'll leave that for you to work out! Any comments or suggestions? -- View this message in context: http://www.nabble.com/A-few-rules-to-catch-current-gmail-spam-tp17590682p17590682.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.