Found a spam today which passed didn't reach required hits. I fixed that
with a couple of specific rules, and also found what may be a decent
generic rule, a rule that wasn't kicked off in 2.55 (my apologies if this
rule exists in 2.60).
The pattern is that a Received header points to an IP address, rather
than a domain name.
This isn't a sure sign of spam, since my own emails sometimes happen to
have this characteristic -- apparently generated by my mail client, my
ISP, or maybe my DSL router because I'm behind that DSL router with NAT
protection. Because of this, it can't get a high score, but a low
positive score indicative of possible spam may be appropriate.
When run against my corpus, it matched 60 spam and 3 ham (two of which
were from me to another email address I participate in).
My proposed rule:
header L_hr_HeloIP Received =~
/helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i
describe L_hr_HeloIP Received has helo=IP - may be spam, or may be DSL router w/nat
score L_hr_HeloIP 0.5
Bob Menschel
-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
