Hi,
Loren answered that a month ago. Is in the archives. You may use:
header RULE_NAME ALL =~ /\nTo: ([EMAIL PROTECTED]).+\nSubject:\s*Fw:
.{0,30}\s*\1\b/i
That covers "Fw: userid" and "Fw: (some word[s]) userid".
Ruben.
> -----Mensaje original-----
> De: Matt Kettler [mailto:[EMAIL PROTECTED]
> Enviado el: viernes, 10 de marzo de 2006 21:17
> Para: Jonathan Engbrecht
> CC: users@spamassassin.apache.org
> Asunto: Re: SA rule for userid in subject?
>
> Jonathan Engbrecht wrote:
> > hello assassin-types,
> >
> > I'm seeing a lot of image-only spam of the following form:
> >
> > rcpt to: <userid>@domain.com
> > Subject: Fw: <userid>
> >
> > Is there a way to create a simple spamassassin rule that will hit on
> > this? I could use () and \1 in regular expressions and a giant,
> > multi-line matching RE (probably), but I'm worried about processing time
> > - two regular expressions would probably be better.
> >
> > thoughts?
> >
>
> You'd need to write a plugin to do this efficiently.
>
> That said, I get a lot of them too, with drug-spam ads in them. My most
> recent
> one racked up a hell of a score without any extra help on my part.
>
> X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=37.608, required 5,
> autolearn=spam, BAYES_50 0.00, DATE_IN_PAST_06_12 0.83,
> DCC_CHECK 1.50, DIGEST_MULTIPLE 0.77, EXTRA_MPART_TYPE 1.09,
> HELO_DYNAMIC_ADELPHIA 1.79, HTML_IMAGE_ONLY_12 1.87,
> HTML_MESSAGE 0.00, HTML_SHORT_LINK_IMG_2 1.58,
> INFO_GREYLIST_NOTDELAYED -0.00, INFO_TLD 0.50,
> RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50,
> RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 1.56,
> RCVD_IN_NJABL_DUL 1.95, URIBL_AB_SURBL 3.81, URIBL_BLACK 2.50,
> URIBL_JP_SURBL 4.09, URIBL_OB_SURBL 3.01, URIBL_SBL 1.64,
> URIBL_SC_SURBL 4.50, URIBL_WS_SURBL 2.14)
>
> Admittedly most of that score comes from the image being wrapped as a HTML
> link
> to the drug-spammer's website, which racked up all the URIBLS and Razor's
> e8...
