Hrmm something is wrong here, I updated this file on 10/14/2005 the very
first day I seen this sign. What date are you showing on your copy of the
random file?
I also updated this file this morning to increase the score for this rule
but I forgot to change the last modified date and also forgot to do the
version #.. I just resent the file with updated version numbers 10 minutes
ago, the rule has been here for 10 days, it's called:
header SARE_RAND_NAME1 ALL =~ /%(?:NAME|MAIL)_(?:FROM|TO)/
score SARE_RAND_NAME1 3.455
Matt Kettler wrote:
> Currently 70_sare_random.cf is rather old and doesn't contain any
> rules for
> these variants.
>
> It's got %FROM_NAME, but not %NAME_FROM. It doesn't have anything
> close to %NAME_TO.
>
> Perhaps Fred Tarasevicius needs to make an update.
>
> Adding NAME_FROM is easy:
> header __RANDH_7B ALL =~ /%FROM_NAME/
> rawbody __RANDR_7B /%FROM_NAME/
>
> Would be replaced by:
> header __RANDH_7B ALL =~ /%(?:FROM_NAME|NAME_FROM)/
> rawbody __RANDR_7B /%(?:FROM_NAME|NAME_FROM)/
>
>
> M.Lewis wrote:
>> Are you using 70_sare_random.cf ?
>>
>> 70_sare_random.cf
>> Description: 70_sare_random.cf tries to detect common mis-fires
>> on bulk mail software. Many signs are found like: %RND_NUMBER, etc
>>
>> Mike
>>
>> Kenneth Porter wrote:
>>
>>> Been getting a few of these:
>>>
>>> From: "{%NAME_FROM}" <[EMAIL PROTECTED]>
>>> To: "{%NAME_TO}" <[EMAIL PROTECTED]>
>>>
>>> Anyone have a rule to nuke them?
