FROM_AND_TO_SAME doesn't seem to be triggering for us.
And rather than making people edit the ruleset, I've changed number3 to a
more generic test
#KAM NUMBER EMAILS - Thanks to Mark Damrose for the NUMBER3 idea
header __KAM_NUMBER1 Subject =~ /^\d+$/i
body __KAM_NUMBER2 /\d{1,6}/
header __KAM_NUMBER3 Message-ID =~ /\<[a-z]{19}\@/i
meta KAM_NUMBER ((__KAM_NUMBER1 + __KAM_NUMBER2 +
MIME_HTML_ONLY + HTML_SHORT_LENGTH + __KAM_NUMBER3) >= 5)
describe KAM_NUMBER Silly Number Emails
score KAM_NUMBER 1.0
Regards,
KAM
A couple other things I've noticed: This spam always hits on
FROM_AND_TO_SAME2
and
header __NUMBER3 Message-ID =~ /\<[EMAIL PROTECTED]>/
(substitute your own domain for example.com).
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
