One particularly aggravating type of spam is where the from: is faked to be from the recipient or the recipient's own domain.
I saw in the archive that this thread has been touched on before, but how about once more around the mulberry bush? I believe Scott mentioned that this behaviour counted as spammish behaviour in SPAMHEADERS, but I think a more pointed ruleset would be very effective against this kind of spam. My assumption is that the way to implement this is to use an external program to check a) the direction of the message, b) compare the from: (or envelope to:?) and to:, and then c) check for exceptions (e.g. the road warrior, the Blackberry pager). Or is it all moot, because you're finding that spam with this "fingerprint" is pretty well always caught because of other spammy characteristics? I've found that HELOBOGUS, REVDNS, BADHEADERS and MAILFROM are all really good indicators of spam, but that they are also indicators of a sloppy mail admin and are thus way too common with normal mail. I've lowered their weight, therefore, my HOLD weight is high enough to not hit on them in combination. OTOH, I've found that LOOSENSPAMHEADERS+SPAMHEADERS and ROUTING to be worth their weight in gold. Andrew 8) --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
