Title: FROM_AND_TO_SAME Rule does not seem to work

Derek Jennings [EMAIL PROTECTED] wrote:

> Most of the few spams that make it to my inbox are from
> "some_name" <my_emailaddy> [...]

I've been having pretty good luck with a meta-rule that compares addresses in "From:" with the IP address in "Received:" and tags only if they don't match up.  Thus:

  ## Forged CAMI Header
  header   __CLAIMS_FROM_CAMI    From      =~   /[EMAIL PROTECTED]/i
  header   __NOT_CAMI_IP         Received  !~   /\[206\.252\.197\.\d+\]/
  meta     FORGED_CAMI_RCVD      (__CLAIMS_FROM_CAMI && __NOT_CAMI_IP)
  describe FORGED_CAMI_RCVD      Forged CAMI Header
  score    FORGED_CAMI_RCVD      10.000

Note that __NOT_CAMI_IP contains a negative operator and contains a regex matching all of my "legit" IP networks (pared down here for readability).

It ain't 100% there -- for some reason I get a few false-positives when received from localhost -- but it seems to be zapping all of the impersonators.

Comments?

--
Scott Gerhardt

Reply via email to