Kelson Vibber <[EMAIL PROTECTED]> writes: > "adivvy" <[EMAIL PROTECTED]> wrote: >> 1. Considered spam by SA but subject not altered because of two 'subject:' >> fields: > > This one's new to me, and sounds like it would be an excellent indicator of > spam. (Are two subject headers even allowed?)
I've seen it before. I think Theo tried a rule for 2 or more, but it had too many false positives, believe it or not. I'm pretty sure we use both headers in most Subject tests, though. >> 2. A half-dozen spam (and only spam) messages delivered directly to my >> Exchange box; thereby avoiding SA totally. >> ... >> I also have a 2nd MX pointing directly at the Exchange box > > This one's old hat. A significant percentage of spammers will deliberately > send to the secondary MX on the chance that it will be less protected than > the primary. There's a network rule that detects *some* of these in 2.60 (MSGID_FROM_MTA_BACKUP). We can't do much more since using the secondary MX is allowed. Just make sure those messages get filtered later on. :-) Daniel -- Daniel Quinlan anti-spam (SpamAssassin), Linux, and open http://www.pathname.com/~quinlan/ source consulting (looking for new work) ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
