At Wed, 20 Feb 2002 16:16:56 -0800 John Beck wrote:
> ...
> would trigger false positives on
>
> a@domain, b@domain, ..., k@domain
>
> i.e., 11 (not 10) of the same domain would trigger this regardless of the
> local parts. Well, the SUSPICIOUS_[CC_]RECIPS macros seemed good, so I
> tweaked them into:
>
> header VERY_SUSP_RECIPS To =~ /([a-z0-9-_]{1,}@).*(?:\1.*){9,}/is
> header VERY_SUSP_CC_RECIPS Cc =~ /([a-z0-9-_]{1,}@).*(?:\1.*){9,}/is
Coincidentally, I just sent fixes for these patterns last night. But yours
requires the final substring of the username to be the same each time,
while (I believe) the rule was intended to catch the frequent practice of
sending to a large list of alphabetized names, e.g. francesca@foo,
frank@bar, franklin#baz, fred@baz ... . So the original pattern (intended
to) match reqeated addresses with the same initial 2 characters. But as
you saw, it wasn't quite right. It matched parts of the domain when it
thought it was matching username.
Try these (probably still more complex than necessary):
header VERY_SUSP_RECIPS To =~
/\b([a-z][a-z])[^@,]{0,20}(@[-a-z0-9_\.]{0,30}).{0,30}?(?:\b\1[^@,]*\2.{0,30}?){9,}/is
header VERY_SUSP_CC_RECIPS Cc =~
/\b([a-z][a-z])[^@,]{0,20}(@[-a-z0-9_\.]{0,30}).{0,30}?(?:\b\1[^@,]*\2.{0,30}?){9,}/is
Tom
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
