On Fri, 14 Jan 2011, Ned Slider wrote:
header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
describe NSL_RCVD_HELO_USER Received from HELO User
Might want to combine into a meta rule with existing NSL_RCVD_FROM_USER rule:
header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
describe NSL_RCVD_FROM_USER Received from User
The above are particularly effective (here) against 419 / bank phish type
emails sent from compromised webmail accounts. Hit rate is not great, but the
FP count is near zero.
Ned, I put those into my sandbox when you first suggested them and they
are performing _quite_ well.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Activist: Someone who gets involved.
Unregistered Lobbyist: Someone who gets involved with something
the MSM doesn't approve of. -- WizardPC
-----------------------------------------------------------------------
3 days until Benjamin Franklin's 305th Birthday
