On 01/14/2018 01:45 AM, Rupert Gallagher wrote:
Good question!
One may write the regex backwards: if it matches "fedex" in the address,
but does not match "FedEx" in the name, then... However, there are many
cases where this will fail or return false positives.
One may say that fedex is a brand name that only fedex can use, so if
the pattern matches anywhere in the From string (comment and
address), and the last Received from IP is not in fedex's spf, then it
is spam. This will catch fishes like
From: "FedEx invoices invoi...@fedex.com" <fool...@example.com>
I have put fedex.com in 60_whitelist_auth.cf so you should be seeing
legit email from Fedex scoring very low. Create local rules to add
points to "fedex" and other strings you find from spoofing.
On Sun, Jan 14, 2018 at 02:28, Alex <mysqlstud...@gmail.com
<mailto:mysqlstud...@gmail.com>> wrote:
Hi, I don't think I fully understand how to use the fuzzy rules with a
proper regex: From: "F*e dE x" That address hardly resembles "Fed Ex",
but how general of a rule can we create and still catch variations
such as this? I thought something like this would work: header
FUZZY_FEDEX From =~ /(?!f.?e.?d.{0,3}e.?x) .? .? .{0,3} .? /i
--
David Jones
