On Thu, Oct 05, 2023 at 03:15:31PM -0400, Bill Cole wrote: > On 2023-10-05 at 03:41:59 UTC-0400 (Thu, 05 Oct 2023 14:41:59 +0700) > Olivier <olivier.nic...@cs.ait.ac.th> is rumored to have said: > > > Recently I have received a wave of mails in the form > > From: word-olivier@somewhere.random > > To: oliv...@mydomain.com > > > > Where the "olivier" part is a valid username on my domain. > > > > Is there a rule to catch these with SA? > > SA does not have any way to know what the valid usernames in any domain are.
That is of course correct, but I did not read that mail as requesting user auto-detection, just plain matching for their user? E.g. something like: header __from_olivier From =~ /.*-olivier\@/ header __to_olivier To =~ /olivier\@mydomain\.com/ meta fake_oliviers __from_olivier && __to_olivier score fake_oliviers 7.0 > Special rules for high-spam individuals can also help by acting as "canary" > rules, if you use the 'autolearn_force' rule tflag. This way, when a spammer > using the specific pattern starts a run, you will catch one match, autolearn > it as spam, and (hopefully) recognize its sibling messages as such. +1 for that. -- Opinions above are GNU-copylefted.
