There was some discussion last week about custom site-wide rules that are based on knowledge of the local mail domain. Here are two custom rules I have been using recently that have been very successful. The first rule is based on the assumption that mail sent to anybody at our old mail server (gone for over 4 years) is most likely spam. The second rule assumes that mail addressed to people who have been gone from the company for years is spam. Even though their accounts no longer exist, this rule flags those multi-recipient spams where their IDs are mixed in with those that are still valid and active.
The 4.0 score I have assigned is arbitrary, of course. I will bump this up to something well over 5.0 once I'm more sure of the results. Since I quarantine our spam, the LOCAL: tag in the rule description makes it easy to grep for the hits on my custom rules. Here are the rules (names have been changed to protect the innocent): # Addressed to user at our old mail server header OLD_MAILSVR ToCc =~ /oldsvr.mycompany.com/i describe OLD_MAILSVR LOCAL: Sent to old mail server oldsvr.mycompany.com score OLD_MAILSVR 4.0 # Long-gone user listed in the To: or Cc: line header ANCIENT_RCPT ToCc =~ /(joeuser1|joeuser2|joeuser3)/i describe ANCIENT_RCPT LOCAL: Long-departed user ID in addressee list score ANCIENT_RCPT 4.0 -- Mike Scheidler [EMAIL PROTECTED] ------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk