>       So lets take a look at the format of the "From: " line. It is:
>       
>       headername {space} sender-name {space} <[EMAIL PROTECTED]>
>       
>       In this case, the headername is "From:". The sender-name is
>       normally what is in the /etc/passwd file as the comment field.
>       It can be srounded by double-qoutes and contains a matching
>       single-quotes in it. The last part is the Email addresses where
>       the message is coming from. So if we use myself as an example
>       the headerline would look as:
>       
>       From: Tony Cratz <[EMAIL PROTECTED]>
>       
>       That would be if I sent a message. But the SPAMMERS have only
>       been using the part that would be in a whitelist being the
>       Email address. And using a different sender-name.
>       
>       With this knowledge I decided it was time to write a couple of
>       rules. The first to check if my Email address was listed in the
>       from line. The second to check if the sender-name was in the
>       format that I use. And then a meta rule to combine the two tests
>       so that if the sender-email was my Email address but the sender-name
>       is not in the format I use then it will rescore the message so
>       that it removes any whitelist effect so that it can be scored
>       correctly as SPAM.
>       
>       The rules I'm currently using are:
>       
>       
>   header T_FROM_CRATZ_EMAIL               From =~ /<[EMAIL PROTECTED]>/i
>   describe T_FROM_CRATZ_EMAIL     '[EMAIL PROTECTED] E-mail address'
>   header T_FROM_TONY_CRATZ                        From =~ /tony\scratz/i
>   describe T_FROM_TONY_CRATZ      'Email user name Tony Cratz'
>   meta NOT_FROM_CRATZ     (T_FROM_CRATZ_EMAIL && !T_FROM_TONY_CRATZ)
>   score NOT_FROM_CRATZ    200.0
>   
>   
>       This is the first set of rules I have written. There may be a
>       better way to write it. And so far I have not had a large test
>       base on it. But shortly after putting it into place it caught
>       a fresh SPAM message.
>       


        I forgot to ask, is there a generic way for me to do this for
        all of the users and mail lists on my site?
        
        
                                                        Tony


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to