C-Command Software Forum

False positive due to "<BODY[^>]*>\s*<IMG[^>]*"cid:[^>]*>"

I just had a false positive on a very important email because of the following rule in the blocklist:

<Body (any text part) Matches Regex "<BODY^>]*>\s*<IMG^>]*"cid:^>]*>">

I think this rule was in SpamSieve by default. How come? Why is this pattern so bad? (The email that triggered it was perfectly legit.)

It’s in SpamSieve by default because there are lots of spam messages that match that pattern, and fewer good ones. If you ever train SpamSieve with a good message that matches the pattern, it will disable the rule.

What if I train SpamSieve on a false negative that matches the pattern? Would it somehow get enabled again?

No. Training will disable existing rules and create new ones. It will not enable existing ones that are disabled.