1. Look for To fields of the format "Real Name" <[EMAIL PROTECTED]>
2. Look for To fields of the above format where the first four characters are the same as the first four characters of the email address.
3. Look for To fields of the format "Last Name, First Name" <[EMAIL PROTECTED]> where the first four characters of the first name are the same as the first four characters of the email address.
AND:
a) For a To: field where 1) is true but neither of 2) or 3) is true, score it +0.75 OR
b) For a To: field where 1) is true and either of 2) or 3) is true, score it -0.25.
This should help with spam that arrives with To: fields like: "Shelly Sexbot" <[EMAIL PROTECTED]>.
Any comments? This is my first SA rule. Hope it helps someone.
Kevin
header __LOCAL_FAKE_TO_NAME1 To =~ /^.*".*"\s+<[EMAIL PROTECTED]>\s*$/i
header __LOCAL_FAKE_TO_NAME2 To =~ /^.*"\s*(\S{4})[^,]*"\s+<[EMAIL PROTECTED]>\s*$/i
header __LOCAL_FAKE_TO_NAME3 To =~ /^.*".*,\s*(\S{4}).*"\s+<[EMAIL PROTECTED]>\s*$/i
meta LOCAL_FAKE_TO_NAME (__LOCAL_FAKE_TO_NAME1 && !(__LOCAL_FAKE_TO_NAME2 || __LOCAL_FAKE_TO_NAME3))
describe LOCAL_FAKE_TO_NAME TO: Addressed to a faked real name.
score LOCAL_FAKE_TO_NAME 0.75
meta LOCAL_REAL_TO_NAME (__LOCAL_FAKE_TO_NAME1 && (__LOCAL_FAKE_TO_NAME2 || __LOCAL_FAKE_TO_NAME3))
describe LOCAL_REAL_TO_NAME TO: Addressed to a real name.
score LOCAL_REAL_TO_NAME -0.25
