On Sun, 2012-11-04 at 07:55 -0500, Joseph Acquisto wrote: > >>> On 11/3/2012 at 9:15 PM, "Joseph Acquisto" <j...@j4computers.com> wrote: > > Why do these score 0 ? > > > > http://pastebin.com/U4zFu8wk > > http://pastebin.com/MV9KbnbU > I ran the second one through my testing SA system: it got hits from several blacklists together with hits on RDNS_NONE and UNPARSEABLE_RELAY:
RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_BRBL_LASTEXT,RCVD_IN_PBL,RCVD_IN_PSBL, RCVD_IN_RP_RNBL,RCVD_IN_XBL,RDNS_NONE,UNPARSEABLE_RELAY,URIBL_AB_SURBL, URIBL_BLACK,URIBL_DBL_SPAM,URIBL_SBL,URIBL_WS_SURBL though from the looks of it there's little else in its contents that should trigger body rules. Have you considered greylisting? When my ISP turned it on my mail stream immediately changed from 80% spam to 95%+ ham. > I had once asked about a rule that could specify a domain (to ban) in an htlm > link in the message body. > I don't recall this being entirely successful. > You can try using the setup I developed to deal with a spam-ridden mailing list that linked to a forum - the forum is trivially easy for spammers to dump junk into, so they do. However, building this type of SA rule can be like playing wack-a-mole until you start to recognise patterns in the URLs/domain names/product names/phrases used and begin to use a combination of broadly-matching regexes and meta-rules to get an acceptable FP rate. This rule maintenance tool may help you to build and extend them: http://www.libelle-systems.com/free/portmanteau/portmanteau.tgz Martin