On Wed, 2004-03-31 at 03:43, Harry Putnam wrote:
[...]
> > Thanks, but I should have mentioned that I'm NOT testing the from
> > header. I'm trying to catch messages that look like bounced messages
> > from me but that don't include my correct e-mail-info.
[...]
I worked it out, here's my solution for the archives:
body __M8RAM_FAKE_BOUNCE_SUB1 /From\:\s.{0,30}\s*<my_email_address>/i
body __M8RAM_FAKE_BOUNCE_SUB2
/from\:\s(?!(?:Bram\sMertens\s)|(?:Mertens\sBram\s)<my_email_address>)/i
meta M8RAM_FAKE_BOUNCE (__M8RAM_FAKE_BOUNCE_SUB1 && __M8RAM_FAKE_BOUNCE_SUB2)
score M8RAM_FAKE_BOUNCE 10.0
describe M8RAM_FAKE_BOUNCE Attached bounce contains my address but I never sent this!
Just in case this might be useful for somebody else I'll explain a bit.
SpamAssassin AFAIK doesn't yest support the && in a 'regular' test, only
in a so-called meta-rule. So I've split it up into two parts.
__M8RAM_FAKE_BOUNCE_SUB1 looks for a combination of "From:" and my
e-mail address.
I need this part because __M8RAM_FAKE_BOUNCE_SUB2 looks for "From:" and
my e-mail address not preceded by my name.
However this means it also triggers on "From:" followed by anything that
doesn't contain my e-mail address.
The score is probably a bit high, it isn't really recommended to use
scores higher than 3.0 in a rule but I needed to counter some negative
scores some of these spoofed messages got.
Thanks for thinking along and I hope somebody can use this!
Bram
--
# Mertens Bram "M8ram" <[EMAIL PROTECTED]> Linux User #349737 #
# SuSE Linux 8.2 (i586) kernel 2.4.20-4GB i686 256MB RAM #
# 4:51pm up 19 days 20:28, 10 users, load average: 0.07, 0.07, 0.10 #
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
<http://learn.perl.org/> <http://learn.perl.org/first-response>
