> On Sun, Apr 29, 2007 at 09:52:39PM -0700, Marc Perkel wrote: > > OK - I did this with Exim rules but the same trick could be > used in SA. > > I figured out a trick that catches 419 spam with amazing accuracy. > > > > ... > > So - who uses one freemail address with a reply-to of another? 419 > > spammers. So if you make a list of domains that are popular > freemail > > vendors used by spammers and if both the from and reply-to > addresses are > > in this list and they are different, it's a 419 spammer. > > > > ... > > Anyhow - I figure this trick would be easy to code up for > SA and someone > > should try it. > > Good idea. I made a simple plugin for testing.. > > http://sa.hege.li/FreeMail.pm
So far, it's only hitting on some "better deal" insurance messages that use tripod-mail.com. To me, it looks like Tripod uses different from and reply-to addresses with the reply-to being a sequencial number, perhaps for threading the messages. Both the reply-to and from addresses are tripod-mail.com. The reply-to and return-path addresses are different, but use the same sequencial number in them, and the errors-to and from are different and do not use the number. That is, 4 from/reply addresses on each message. Of course, it's spam anyway, but not really the type we're trying to catch with this technique. Bret
