Found a spam today which passed didn't reach required hits. I fixed that
with a couple of specific rules, and also found what may be a decent
generic rule, a rule that wasn't kicked off in 2.55 (my apologies if this
rule exists in 2.60).

The pattern is that a Received header points to an IP address, rather
than a domain name.

This isn't a sure sign of spam, since my own emails sometimes happen to
have this characteristic -- apparently generated by my mail client, my
ISP, or maybe my DSL router because I'm behind that DSL router with NAT
protection. Because of this, it can't get a high score, but a low
positive score indicative of possible spam may be appropriate.

When run against my corpus, it matched 60 spam and 3 ham (two of which
were from me to another email address I participate in).

My proposed rule:

header    L_hr_HeloIP  Received =~ 
/helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i
describe  L_hr_HeloIP  Received has helo=IP - may be spam, or may be DSL router w/nat
score     L_hr_HeloIP  0.5

Bob Menschel




-------------------------------------------------------
This SF.net email is sponsored by: VM Ware
With VMware you can run multiple operating systems on a single machine.
WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the
same time. Free trial click here: http://www.vmware.com/wl/offer/345/0
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to