false positives on rule "FM_RATSIGN_1106" and what to do?

[Hugo van der Kooij]

On Tue, 29 May 2007, Scott Silva wrote:

> Chris Yuzik spake the following on 5/29/2007 12:30 PM:
>> Hi,
>>
>> Suddenly, I'm seeing quite a number of false positives on the rule
>> "FM_RATSIGN_1106" that gets a whopping 3.8 points. I've tried to figure
>> out what exactly it's hitting on, but the only thing I found was:
>>
>>    ##{ FM_RATSIGN_1106
>>    meta     FM_RATSIGN_1106    (__MSGID_VGA && __DATE_700)
>>    describe FM_RATSIGN_1106    Fingerprint seen in lots of spam. 11/2006
>>    ##} FM_RATSIGN_1106
>>
>> I think I need to set this rule down to 0.01 for now, or does someone
>> have a better suggestion?
>>
>> Thanks
>>
> It looks at messages that hit both MSGID_VGA and DATE_700
> Message-ID =~ /^<000001c[67]/  and date is -7 hours

Just out of curiosity. What is the significance of this particular message 
ID or this difference in timezones? I have to admit I get a shitload of 
spam from the USA and some of the US states are -7 hours from my timezone. 
But I fail to see the logic of this construct at the moment.

Hugo.

-- 
 	hvdkooij at vanderkooij.org	http://hugo.vanderkooij.org/
 	    This message is using 100% recycled electrons.

 	Some men see computers as they are and say "Windows"
 	I use computers with Linux and say "Why Windows?"
 		(Thanks JFK, for the insight.)