What do you guys think of this simple header line:

Received: from Evan ([81.68.237.96])

Shouldn't there be a .com, .net, .biz, etc.. after the Evan all the time?  I
know most of us will have something like this:

Received: (from [EMAIL PROTECTED])

But that is enclosed in paran's. I'm pretty sure that the S/O ratio on
something like this should be good. Unfortunetly my corpus isn't that big
enough yet to check this. Can someone check?

How does this regex look?

header WRKSTATION_NAME Received =~ /^from \w+
\(\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]\)/
describe WRKSTATION_NAME Email server didn't have a FQDN
score WRKSTATION_NAME 0.01

As always, this rule wouldn't score more then say 0.75 on my system. Maybe
less. I like more small rules to hit then less big ones. 

Chris Santerre 
System Admin and SA Custom Rules Emporium keeper 
http://www.merchantsoverseas.com/wwwroot/gorilla/sa_rules.htm 
"A little nonsense now and then, is relished by the wisest men." - Willy
Wonka 


-------------------------------------------------------
This SF.net email is sponsored by Dice.com.
Did you know that Dice has over 25,000 tech jobs available today? From
careers in IT to Engineering to Tech Sales, Dice has tech jobs from the
best hiring companies. http://www.dice.com/index.epl?rel_code=104
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to