On Apr 1, 2018, at 11:33 PM, Rich Wales <ri...@richw.org> wrote: > > I do realize some perfectly legitimate "From:" lines conform to this same > pattern, and the only way to really tell the difference may be via AI or a > real human brain.
Not just "some" legitimate mail... a LOT of legitimate mail, basically anything that conforms to "FirstName LastName" <firstname.lastn...@domain.com <mailto:firstname.lastn...@domain.com>>. One might think checking for multiple dots would help (as I suggested last week), but many organizations -- especially government or other large orgs -- also use firstname.middleinitial.lastname as their user part. A meta rule using multi-dots could work, by either looking for specific keywords or matching with other spammy indicators... but by itself there's no real way to distinguish these AFAICT. I think a meta rule is the only safe way to go, but personally I would _NOT_ use a rule like the one suggested where the quoted part equals the user part, since every firstname.lastname address will get caught that way. Cheers. --- Amir
