On Mon, 2 Apr 2018, Amir Caspi wrote:
many organizations -- especially government or other
large orgs -- also use firstname.middleinitial.lastname as their user
part.
So require a minimum length for the middle part:
header THREE_WORD_MONTY From =~ /(\w+) (\w{2,}) (\w+) <\1.\2.\3/
A meta rule using multi-dots could work, by either looking for specific
keywords or matching with other spammy indicators... but by itself
there's no real way to distinguish these AFAICT. I think a meta rule is
the only safe way to go, but personally I would _NOT_ use a rule like
the one suggested where the quoted part equals the user part, since
every firstname.lastname address will get caught that way.
Your comment is valid, but the suggested rule requires three parts, so
won't hit on firstname.lastname-style mailbox naming.
However, since it's looking for periods, it won't hit the dash- and
underscore-delimited versions.
Perhaps:
header THREE_WORD_MONTY From =~ /(\w+) (\w{2,}) (\w+)\s+<\1[-._]\2[-._]\3\@/
And maybe a little more flexible to hit the *last three* parts of a 4+
part address:
header THREE_WORD_MONTY From =~ /(\w+) (\w{2,})
(\w+)\s+<[^@]*\1[-._]\2[-._]\3\@/
Potentially lots of backtracking there, though. Fortunately the string is
not apt to be very long.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
When fascism comes to America, it will be wrapped in
"Diversity" and demanding "Safe Spaces." -- Mona Charen
-----------------------------------------------------------------------
368 days since the first commercial re-flight of an orbital booster (SpaceX)
