On Wed, 2010-08-25 at 11:43 +1200, Peter Lowish wrote:> So this should do it in my .cf file
>
> body Ban_RussUrl /www\..{1,16}\.ru/
> score Ban_RussUrl 15
> describe Ban_RussUrl Russian url spam
>
Not quite. I suggested using a uri rule not a body one. A score of 5 or
6 should be enough. Be sure to test it: its rather a sledgehammer and
will certainly FP if your organisation has Russian correspondents.
Personally I'd use a meta because its far less likely to FP:
describe RU_SPAM Russian spam-bot messages
uri __RU_S1 /www\..{1,16}\.ru/
header __RU_S2 From =~ /[a-z]{7,8}[0-9]{4}\@/
header __RU_S3 Reply-To =~ /[a-z]{7,8}[0-9]{4}\@/
meta RU_SPAM (__RU_S1 &&__RU_S2 &&__RU_S3)
score RU_SPAM 5.5
Caveat: this hasn't been lint checked or tested. Do both before
deploying it.
Martin