Not quite. I suggested using a uri rule not a body one. A score of 5 orSo this should do it in my .cf file
body Ban_RussUrl /www\..{1,16}\.ru/
score Ban_RussUrl 15
describe Ban_RussUrl Russian url spam
6 should be enough. Be sure to test it: its rather a sledgehammer and
will certainly FP if your organisation has Russian correspondents.
Personally I'd use a meta because its far less likely to FP:
describe RU_SPAM Russian spam-bot messages
uri __RU_S1 /www\..{1,16}\.ru/
header __RU_S2 From =~ /[a-z]{7,8}[0-9]{4}\@/
header __RU_S3 Reply-To =~ /[a-z]{7,8}[0-9]{4}\@/
meta RU_SPAM (__RU_S1 &&__RU_S2 &&__RU_S3)
score RU_SPAM 5.5
Caveat: this hasn't been lint checked or tested. Do both before
deploying it.
Martin
