Following up on this... I've been consistently seeing a lot of spam like this, with multi-dot usernames. Sometimes with "person.from.spam" but more often just a punctuated phrase like "some.spammy.item.sold" or whatever. Most often only two dots (three words), sometimes four or more.
Has anyone been testing this as a meta rule? Cheers. --- Amir > On Mar 6, 2018, at 9:37 AM, John Hardin <jhar...@impsec.org> wrote: > > On Mon, 5 Mar 2018, Amir Caspi wrote: > >> On Mar 5, 2018, at 11:13 PM, John Hardin <jhar...@impsec.org> wrote: >>> >>> *before* the @ sign. >>> >>> It may be perfectly valid to do that, but if it happens more often in spam >>> than in legitimate mail it is useful to us. >> >> I’m seeing a lot of spam lately with usernames like >> “bob.from.somespamcompany”. Could definitely be at least a meta rule. > > ...or potentially from:addr =~ /[^@]*\.from\.[^@]*@/ if ".from." is > literally in the username part. > > -- > John Hardin KA7OHZ http://www.impsec.org/~jhardin/ > jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > ----------------------------------------------------------------------- > Failure to plan ahead on someone else's part does not constitute > an emergency on my part. -- David W. Barts in a.s.r > ----------------------------------------------------------------------- > 5 days until Daylight Saving Time begins in U.S. - Spring Forward
