SpamAssassin version: 3.3.2-r929478
System: OS X Server 10.7
SpamAssassin n00b level: Ultimate
Starting a couple of weeks ago I'd been getting a couple of like spam e-mails every few days. It's been slowly ramping up to a couple times a day. These e-mails look like this:
http://i.imgur.com/0YLBDxm.png The highlighting is to show the random text colored close to the background peppered between <span> after <span> of the "real" message.
SpamAssassin includes a rule to spot HTML that includes "many" spans (MANY_SPAN_IN_TEXT) but it's configed to only find 5 before throwing a pretty low spam score. These e-mails contain literally several hundred (800+) <span> tags. I really don't want to bump the score for the included rule so I modified a copy of it and dropped it into /private/etc/mail/spamassassin/local.cf
Unfortunately it doesn't get loaded. Not sure what I'm missing or if I'm going about this all wrong. You can see at the bottom I've just bumped the score of the two rules that seem the most useful for tagging this type of message. This works, but I worry about false positives.
Code:
### Trying to stop <span>H</span><span>T</span><span>M</span><span>L</span>
### Not sure if working, or...
##{ EXTREME_SPAN_IN_TEXT
meta EXTREME_SPAN_IN_TEXT __X_SPAN_IN_TEXT && !__VIA_ML
describe EXTREME_SPAN_IN_TEXT Extreme number of <SPAN> tags embedded within text
tflags EXTREME_SPAN_IN_TEXT publish
##} EXTREME_SPAN_IN_TEXT
meta __X_SPAN_IN_TEXT (__X_SPAN_BEG_TEXT > 24) && (__X_SPAN_END_TEXT > 24)
rawbody __X_SPAN_BEG_TEXT /[a-z]{2}<(?i:span)\s/
tflags __X_SPAN_BEG_TEXT multiple maxhits=25
rawbody __X_SPAN_END_TEXT /[^;>]<\/(?i:span)>[a-z]{3}/
tflags __X_SPAN_END_TEXT multiple maxhits=25
score EXTREME_SPAN_IN_TEXT 25
### Well that shit isn't even being run. :| So...
score MANY_SPAN_IN_TEXT 10
score HTML_FONT_LOW_CONTRAST 10
Also, how / where do I find the bounced spam message template? I want to send a "550 User not found" rather than SA's "Your message is spam." Haven't seen it in the obvious places.
Any halp is greatly appreciated.