The famous 5 recipients... I had a (very) few exceptions while having the very same pattern in body. With 4 recipients instead of 5, and sometimes one among the 5 with no To:address, just To:name, wich was harder to count...
I removed the similar rule as your __RP_D_00040 from my systems to avoid
false negatives.
And no FP for a long time on this rule (this is an old bot, first saw
last summer, but probably older but unnoticed).
Alex, from prypiat.
Yes, I recycle.
On 13-03-01 02:45 PM, David F. Skoll wrote:
> On Fri, 01 Mar 2013 14:39:09 -0500
> Alexandre Boyer <bigg...@gmail.com> wrote:
>
>> Pretty the same as what David suggests :-)
> My latest attempt is this:
>
> header __RP_D_00040_1 From:addr =~ /yahoo/i
> header __RP_D_00040_2 To =~ /(:?@.*?){5}/
> body __RP_D_00040_3 /http.{0,200}\d{1,2}:\d{1,2}:\d{1,2}/
> meta RP_D_00040 __RP_D_00040_1 &&__RP_D_00040_2 &&__RP_D_00040_3
> describe RP_D_00040 Yahoo single-line URL spam
>
> I'm a little worried about potential FPs, but we'll see how it goes.
>
> Regards,
>
> David.
signature.asc
Description: OpenPGP digital signature
