On 2023-10-05 at 03:41:59 UTC-0400 (Thu, 05 Oct 2023 14:41:59 +0700) Olivier <olivier.nic...@cs.ait.ac.th> is rumored to have said:
Hi, Recently I have received a wave of mails in the form From: word-olivier@somewhere.random To: oliv...@mydomain.com Where the "olivier" part is a valid username on my domain. Is there a rule to catch these with SA?
SA does not have any way to know what the valid usernames in any domain are. Without custom local rules, it doesn't even know what domains might be valid for your mail system. You can, of course, create local rules for specific users who get heavily targeted by this tactic. That does not scale, but it can be useful.
Special rules for high-spam individuals can also help by acting as "canary" rules, if you use the 'autolearn_force' rule tflag. This way, when a spammer using the specific pattern starts a run, you will catch one match, autolearn it as spam, and (hopefully) recognize its sibling messages as such.
-- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
