Thanks. I searched the archives and found a link to a site that now
redirects to SARE, but I couldn't find a rule for this there. So I finally
wrote a rule that seems to work:
header RECEIVED_AT_NIGHT Received =~ /id [^;]+; ..., \d?\d ...
\d\d\d\d 0[0-6]:\d\d:\d\d/
This matches headers like this one:
id 587BB3565B8; Tue, 12 Sep 2006 05:10:17 +0200 (CEST)
It corresponds to the received header that my MTA adds, so it has the local
time when the message arrives. It matches messages that arrive from 00:00:00
to 06:59:59 (i gave it a score of 1.5). I don't know if that header is the
same in every MTA, but it would only need a little change. Spammers in my
opinion can't do anything about this because that header is added locally.
points if the message arrives between, say, 1:00 and 6:00 (I should set
it from 21:00 to 8:00 since this is an office and I don't think someone is
going to send anything work-related at this time, but just to be
careful... ).
Do you know how can this be done? Do you think it could give too many
false positives?
I would be nervous about such a rule with any appreciable score, but you
might be able to get away with adding a couple of points for receipt at an
odd time of day.
While I'm not sitting in an office at the moment (left there an hour ago) I
do deal in a sideline business with people literally all over the world.
So it isn't the slightest unusual to get mail at 4AM from the UK or the
middle of the night from China.
Actually writing the rule is likely to be a bit messy unless you do it as a
plugin. A normal regex can only test for equality. So you would have to
write a regex that would match a selection of times in the top received
header, which is presumably supplied by your system and has the correct
local time.
Loren
