There was some discussion last week about custom site-wide rules that are
based on knowledge of the local mail domain.  Here are two custom rules I
have been using recently that have been very successful.  The first rule is
based on the assumption that mail sent to anybody at our old mail server
(gone for over 4 years) is most likely spam.  The second rule assumes that
mail addressed to people who have been gone from the company for years is
spam.  Even though their accounts no longer exist, this rule flags those
multi-recipient spams where their IDs are mixed in with those that are
still valid and active.

The 4.0 score I have assigned is arbitrary, of course.  I will bump this up
to something well over 5.0 once I'm more sure of the results.  Since I
quarantine our spam, the LOCAL: tag in the rule description makes it easy
to grep for the hits on my custom rules.

Here are the rules (names have been changed to protect the innocent):

  # Addressed to user at our old mail server
  header    OLD_MAILSVR  ToCc =~ /oldsvr.mycompany.com/i
  describe  OLD_MAILSVR  LOCAL: Sent to old mail server oldsvr.mycompany.com
  score     OLD_MAILSVR  4.0

  # Long-gone user listed in the To: or Cc: line
  header    ANCIENT_RCPT  ToCc =~ /(joeuser1|joeuser2|joeuser3)/i
  describe  ANCIENT_RCPT  LOCAL: Long-departed user ID in addressee list
  score     ANCIENT_RCPT  4.0

-- 
Mike Scheidler                        [EMAIL PROTECTED]




-------------------------------------------------------
This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to