Hello,
There was some discussion on this list a while back about catching Spam that contains the same E-Mail address in the TO and FROM lines. I think it was decided that this could not be done, for some reason. I just read a post on the SARE mailing list from Tom Brown containing some rules that might help people that want to catch these types of Spam, or at least write their own rules for their Site(s). They lint OK, and appear to work for me. The original post is as follows (Happy New Year!): Subject: [Sare-users] forged bounces... these rules might be usefull. I woke up to a slew of these in my inbox... my thinking in the score of 1 for TOM_TO_EQ_FR is that legit messages of this form should look VERY legit and be unlikely to score high... header __TOM_TO_EQ_FRa ALL =~ m/^From:\s+?<?(....@.+)>?(\s|$)[^\0]*^To:.*\1/m header __TOM_TO_EQ_FRb ALL =~ m/^To:\s+?<?(....@.+)>?(\s|$)[^\0]*^From:.*\1/m meta TOM_TO_EQ_FR __TOM_TO_EQ_FRa || __TOM_TO_EQ_FRb score TOM_TO_EQ_FR 1 describe TOM_TO_EQ_FR To and From are the same, could be a cc or a forgery header __TOM_BOUNCE Subject =~ /(This mail is refused message|\*\*Message you sent blocked by our bulk email filter\*\*|Your message could not be delivered|Non delivery report: 5.9.4 \(Spam SLS\/RBL\)|Please confirm your message|Returned mail: Quota exceeded)/ meta TOM_BAD_BOUNCE __TOM_BOUNCE && TOM_TO_EQ_FR describe TOM_BAD_BOUNCE looks like a forged bounce (known sub and to==from) score TOM_BAD_BOUNCE 2.5
