Is there a way of constructing one or more SA rules that can extract the user portion of the address, and then check the message body for a repeat of that string (without the domain portion of the address)?
Smith
On the male enhancement spam that's hitting my spamtraps, I'm noticing
that nearly all the messages (presumably a single spammer), are
following a fairly regular pattern -- in particular, where either the
first or second line of text shows some sort of colloquial greeting
(e.g., "hi there" or "wazzup", or "good morning", etc.) followed by the
the user portion of the target address. This is the spammer that's
doing subject lines with a single "word", made up of random alpha
characters.
- mailmerged spam NFN Smith
- Re: mailmerged spam Matt Kettler
