Derek Jennings [EMAIL PROTECTED] wrote:
> Most of the few spams that make it to my inbox are from
> "some_name" <my_emailaddy> [...]
I've been having pretty good luck with a meta-rule that compares addresses in "From:" with the IP address in "Received:" and tags only if they don't match up. Thus:
## Forged CAMI Header
header __CLAIMS_FROM_CAMI From =~ /[EMAIL PROTECTED]/i
header __NOT_CAMI_IP Received !~ /\[206\.252\.197\.\d+\]/
meta FORGED_CAMI_RCVD (__CLAIMS_FROM_CAMI && __NOT_CAMI_IP)
describe FORGED_CAMI_RCVD Forged CAMI Header
score FORGED_CAMI_RCVD 10.000
Note that __NOT_CAMI_IP contains a negative operator and contains a regex matching all of my "legit" IP networks (pared down here for readability).
It ain't 100% there -- for some reason I get a few false-positives when received from localhost -- but it seems to be zapping all of the impersonators.
Comments?
--
Scott Gerhardt