Spamassassin Greeting Card Question

[Matt Kettler]

Alex Broens wrote:
>> That said, I'm currently using this one rule, which covers pretty much
>> everything I've seen.
>>
>> (note: beware of line-wraps, there's only 3 lines here)
>>
>> header L_S_SUBJPOSTCARD Subject =~/\bYou've received a (?:greeting)?
>> (?:e|post)?card from a .{4,20}!/
>> describe L_S_SUBJPOSTCARD     greeting card virus
>> score L_S_SUBJPOSTCARD    1.5
> 
> or reduce it to?
> 
> body    ECARD_BLAH    /^SEEING YOUR CARD$/

That would work too.. Although I'm not sure why.. body rules should be run with
linewraps stripped, so that shouldn't match. However, it does work properly, and
also matches if a linewrap is inserted between the words. Hmm, wonder how SA
does that..

However, there would be benefit to using both with moderate scores, as it would
be more mutation resistant that way. They're both looking at different features
of the email.

As an added plus, doing both makes the autolearner more likely to kick in. The
autolearner needs at least 3.0 of header and 3.0 of body rules in order to learn
spam. Biasing both categories up is a good thing..

To that end, I just added 3 body rules:

body L_S_BODY_CARD1     /^SEEING YOUR CARD$/
score L_S_BODY_CARD1    1.0

body L_S_BODY_CARD2     /See your card as often as you wish during the next/
score L_S_BODY_CARD2    1.0

body L_S_BODY_CARD3     /We hope you enjoy your awesome card/
score L_S_BODY_CARD3    1.0