John, would you mind sandboxing a rule?
Two or more dots in the From username seems to be rather spammy (and
we've talked about it before on the list). Would you mind sandboxing this test
rule to see if it would be helpful as a main rule? I get a lot of spam locally
that hits this...
header AC_FROM_MANY_DOTS From =~ /<(?:\w+\.){2,}\w+@/
describe AC_FROM_MANY_DOTS Two or more periods in the From username
We could, of course, increase to three or more dots... maybe the three-dot
version would score higher on its own, but the two-dot could be better in
combo... not sure.
Hopefully it's helpful...
Cheers.
--- Amir
