Hello list,
I've seen a sharp increase in spam that is really easy to identify, but
I'm struggling to get SA to do so. One example is
The To: header matches:
/^([EMAIL PROTECTED])@(?:regexp-of-my-local-domains)$/
The Subject matches:
/^Fw: Discount for (\S+)/
and the $1 capture in both these patterns are the same, in an C<eq>
sense. Finally, the message body is a multipart message, purported to be
a forwarded message, and in the body of the message there is
/^Subject: (\S+)$/
and once again the captured pattern is the same as the previous two. If
those three conditions match up, that's worth 3 to 5 straight away. And
there's other garbage to improve the score.
If I could write a contextual rule that remembers those three items and
then makes a decision, I'd be a happy man. I think I need to write a
plugin, since you can't capture stuff with basic rules and then
manipulate the captures (at least, not in any rulesets I've seen). Plus,
since the captured pattern is the LHS of a local email address, so I
could refine things even further if necessary by doing a recipient lookup.
I'm sure people have already done this sort of thing, so I tried
searching for ideas to steal but came up short. So... does anyone have
some ideas (or code) they can point out to me?
I know how to do this in a policy server for Postfix, but I'd rather do
it in SA if possible.
Thanks,
David
--
"It's overkill of course, but you can never have too much overkill."
