I'm using a couple rules I found here that hits when there are 5-9 or 10+ recipients:
header __COUNT_RCPTS ToCc =~ /(?:[^@,\s]+@[^@,\s]+)/ tflags __COUNT_RCPTS multiple meta RCPTS_5_10 (__COUNT_RCPTS >= 5) score RCPTS_5_10 1.0 describe RCPTS_5_10 Message has 5 or more recipients meta RCPTS_10_PLUS (__COUNT_RCPTS >= 10) score RCPTS_10_PLUS 1.0 describe RCPTS_10_PLUS Message has 10 or more recipients I'm seeing a bunch of spams that are being sent to some of my users where there are multiple other recipients, and most, if not all of the other recipients are various freemail accounts. Anyone have any ideas on how to identify when the other recipients are freemail users, so that this can be scored even higher?
