On Mon, 17 Oct 2011, David B Funk wrote:
However you need to be careful how you craft/use this kind of rule.
I regularly get legit messages with subjects like:
New ProTrav - Req Trav, Fac/Stf
Re: [Imap-protocol] FETCH (rfc822) response
SANS NewsBites Vol. 13 Num. 81 : Military Drone Cockpit Computers Infected
With Malware; AmEx Site Exposing Data; Calif. Governor Vetoes Bill Requiring
Warrant for Searching Mobile Phones
Cron <root@s-lib011> /exlibris/backup/scripts/exec_backup_main s2
FINAL DAYS: *Free to Choose* - Save 50% - All
[InCommon] IAM Online Weds., Oct. 12 - IAM Governance
Those kinds of rules may be good for making meta rules to
combine with other indications but be careful using them
by themselves.
Indeed:
SPAM% HAM% S/O RANK SCORE NAME
6.5107 18.6870 0.258 0.45 (n/a) __SUBJ_OBFU_PUNCT
1.0281 3.5456 0.225 0.41 0.01 T_SUBJ_OBFU_PUNCT_FEW
0.0031 0.9589 0.003 0.22 0.01 T_SUBJ_OBFU_PUNCT_MANY
Time to work on the FPs... :)
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Ignorance is no excuse for a law.
-----------------------------------------------------------------------
312 days since the first successful private orbital launch (SpaceX)