> On Wed, 13 Oct 2004 10:41:07 -0400, Chris Santerre wrote: >> There had been a short time where we had posts that began with [RD] for >> rule >> discussion. But we just aren't seeing much of anything new to write >> rules >> on. I'm REAL interested in any spam that slips by for people who use >> SARE >> rules. I can't believe I miss getting spam slipping by. Its like I won >> the >> video game but still want to keep playing :) > > About the only challenge left, it seems, is the start of certain spam > runs that hit almost no rules but are stopped as soon as the URI they > cite gets listed in SURBL. > > Here's a case in point for you to get to grips with. I'm seeing regular > lowish-scoring spams like this, with perhaps two or three getting past > SA in the last week. In particular, I have an idea for the To field: > > | To: "judson burrows" <[EMAIL PROTECTED]> > > My name isn't "judson burrows", or Ophelia Rrnyihie, or "edmond olivio", > or any of the numerous similar names spammers have addressed me as > recently! It ought to be fairly easy to write a rule specific to me that > fires if the real name contains neither John nor Wilcock, but how about > a generic plug-in that does an LDAP lookup or similar in order to > determine the real name of J. Random User then checks whether the first > and last names match? There's a challenge for you... > > John. > > -- > -- Over 2500 webcams from ski resorts around the world - www.snoweye.com > -- Translate your technical documents and web pages - www.tradoc.fr >
I don't see this working too well. Are you "users@spamassassin.apache.org"? The messages from this post go to "users@spamassassin.apache.org" - not "John Wilcock". If you're going to attempt to write "pinhole" rules to this, you should also allow your email address as the to name. I've seen some cheesy mail servers not even use a real name in the To field. Keith
