On 03/27/2015 07:51 PM, Amir Caspi wrote:
Here are a few spamples:
http://pastebin.com/3nSLurGv (this scored BAYES_99 but would still
have been FN with BAYES_999) http://pastebin.com/LaKT5ZZK (I have a
rule template for these URIs but recent spams have modified them to
cause high risk of FPs for such rules) http://pastebin.com/qSgBxR5B
(BAYES_999; could potentially be caught by an "excessive HTML entity"
rule, but none seemed to hit... is there one?)
For the first and last one, the URIs are way too similar to blog URIs
that would be in use by legitimate agencies, so I suspect there is a
high risk for FPs on those. The middle one uses a template that I
have URI rules for, but the URIs are evolving to use randomized
server names which are also basically impossible to template against
without risk of FPs.
I have hundreds more like these...
These three samples are very different in the sense that #1 is a hacked
site, #2 & #3 are the regular snowshoe.
What I miss in your sample's SA reports are any URIBL hits of some sort.
Are you doing URIBL lookups? and using RAZOR & PYZOR?
Axb
