Scott,
Wouldn't a difference in the number of recipients in the ALLRECIPS and REALRECIPS variables be a rather good spam indicator, as this means that the recipient list is a mixture of both valid and invalid addresses? I guess that such a test could be implemented directly in Declude, but it has to be carefully used as it will have some false positives. It could be used more securely if the test also had a configurable threshold setting for the minimum number of differences, as I have noticed that some spam have a recipient list that contains many invalid addresses together with a few valid ones.
Or does the ALLRECIPS variable contain both local and remote addresses? I can't see that on our mail server, since it sits behind an antivirus gateway (which routes e-mail to local domains only). In such a case, I guess that it would be possible to correct any variable difference by first subtracting the number of remote addresses in the ALLRECIPS variable. Unless, of course, the REALRECIPS variable also contains remote addresses. I'm just thinking out loud, since I'm not really sure how this works.
/Roger --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
