On Wed, 5 Aug 2009, Chris wrote:
On Wed, 2009-08-05 at 12:11 +0200, Tomasz Chmielewski wrote:
For example, when there are 5-10 recipients, assign 1 point; 11
recipients and more - assign 2 points.
Here's the rule(s) I use. They were posted here on the list quite awhile
back:
describe TO_TOO_MANY To: too many recipients
header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
score TO_TOO_MANY 0.3
describe TO_WAY_TOO_MANY To: way too many recipients
header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/
score TO_WAY_TOO_MANY 0.3
TO_WAY_TOO_MANY should have something higher than 20 addresses if that's
how many will trigger TO_TOO_MANY. With them set to the same number, they
are duplicate rules and SA collapses them - only one will ever hit.
I use 30 and 50.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
adware architecture incorporating spyware, profiling, competitor
suppression and delivery confirmation (U.S. Patent #20070157227)
-----------------------------------------------------------------------
Today: the 274th anniversary of John Peter Zenger's acquittal
