On Fri, Mar 10, 2006 at 02:59:09PM -0500, Jonathan Engbrecht wrote: > I'm seeing a lot of image-only spam of the following form: > > rcpt to: <userid>@domain.com > Subject: Fw: <userid>
Yeah, there's a lot of that.
> Is there a way to create a simple spamassassin rule that will hit on
> this? I could use () and \1 in regular expressions and a giant,
> multi-line matching RE (probably), but I'm worried about processing time
> - two regular expressions would probably be better.
There's already a rule that looks for this type of thing
(LOCALPART_IN_SUBJECT), but it doesn't look for the "Fw:" pattern.
However, there are other rules which catch these mails more efficiently
than looking for the username. Two rules you can use for now (these
and others will likely be published via sa-update after the upcoming
3.1.1 release):
body TVD_FW_MESG1 /^-+ Original Message -+ From: (?:\w+ )+To: \S+
(?:Sent|Date):.{1,60}Subject: \w+\s*$/
body TVD_FW_MESG2 /^-- Best Regards, \w+ \w+\s+mailto:/
--
Randomly Generated Tagline:
I used up all my sick days, so I'm calling in dead.
pgpctZEGDlNF2.pgp
Description: PGP signature
