The famous 5 recipients... I had a (very) few exceptions while having the very same pattern in body. With 4 recipients instead of 5, and sometimes one among the 5 with no To:address, just To:name, wich was harder to count...
I removed the similar rule as your __RP_D_00040 from my systems to avoid false negatives. And no FP for a long time on this rule (this is an old bot, first saw last summer, but probably older but unnoticed). Alex, from prypiat. Yes, I recycle. On 13-03-01 02:45 PM, David F. Skoll wrote: > On Fri, 01 Mar 2013 14:39:09 -0500 > Alexandre Boyer <bigg...@gmail.com> wrote: > >> Pretty the same as what David suggests :-) > My latest attempt is this: > > header __RP_D_00040_1 From:addr =~ /yahoo/i > header __RP_D_00040_2 To =~ /(:?@.*?){5}/ > body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/ > meta RP_D_00040 __RP_D_00040_1 &&__RP_D_00040_2 &&__RP_D_00040_3 > describe RP_D_00040 Yahoo single-line URL spam > > I'm a little worried about potential FPs, but we'll see how it goes. > > Regards, > > David.
signature.asc
Description: OpenPGP digital signature