Hi, On Sun, Jan 14, 2018 at 7:58 AM, David Jones <djo...@ena.com> wrote: > On 01/14/2018 01:45 AM, Rupert Gallagher wrote: >> >> Good question! >> >> One may write the regex backwards: if it matches "fedex" in the address, >> but does not match "FedEx" in the name, then... However, there are many >> cases where this will fail or return false positives. >> >> One may say that fedex is a brand name that only fedex can use, so if the >> pattern matches anywhere in the From string (comment and address), and the >> last Received from IP is not in fedex's spf, then it is spam. This will >> catch fishes like >> >> From: "FedEx invoices invoi...@fedex.com" <fool...@example.com> >> > > I have put fedex.com in 60_whitelist_auth.cf so you should be seeing legit > email from Fedex scoring very low. Create local rules to add points to > "fedex" and other strings you find from spoofing.
Yes, I'm doing that here locally, but was just interested in these edge cases where "fedex" is almost nearly completely obscured that rules adding points for "fedex" don't match these cases, yet readable enough by a human that my users will notice (and complain, as always). I was also interested in understanding more about these fuzzy regex rules and how to use them to my advantage.
