spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Hardin <jhar...@impsec.org>
Subject Re: Spam from addresses where full name mirrors left-hand side of address
Date Tue, 03 Apr 2018 15:52:00 GMT
On Tue, 3 Apr 2018, RW wrote:

> On Mon, 2 Apr 2018 11:33:27 -0700 (PDT)
> John Hardin wrote:
>
>> On Mon, 2 Apr 2018, Amir Caspi wrote:
>>
>>> many organizations -- especially government or other
>>> large orgs -- also use firstname.middleinitial.lastname as their
>>> user part.
>>
>> So require a minimum length for the middle part:
>>
>>    header THREE_WORD_MONTY  From =~ /(\w+) (\w{2,}) (\w+) <\1.\2.\3/
>>
>>> A meta rule using multi-dots could work, by either looking for
>>> specific keywords or matching with other spammy indicators... but
>>> by itself there's no real way to distinguish these AFAICT.  I think
>>> a meta rule is the only safe way to go, but personally I would
>>> _NOT_ use a rule like the one suggested where the quoted part
>>> equals the user part, since every firstname.lastname address will
>>> get caught that way.
>>
>> Your comment is valid, but the suggested rule requires three parts,
>> so won't hit on firstname.lastname-style mailbox naming.
>>
>> However, since it's looking for periods, it won't hit the dash- and
>> underscore-delimited versions.
>
> It looks for . not \.

Ah, yes, my mistake.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   The world has enough Mouse Clicking System Engineers.
                                                        -- Dave Pooser
-----------------------------------------------------------------------
  10 days until Thomas Jefferson's 275th Birthday

Mime
View raw message