On Sun, 2008-08-31 at 14:33 -0400, Skip wrote: > >> describe TO_HARVESTED To: obviously harvested > >> header TO_HARVESTED To =~ /\@(?:(?:(?:example|your| > >> some)\.domain)|(?:(?:example|your\.domain)\.com)|your\.favou?rite > >> \.machine)\b/ > > Can you tell me how this rule works? Or give a more realistic example > (in my case I would use pelorus.org, so feel free to demonstrate with that)
It checks for any of the following domains in the To: list of addresses: @example.domain @your.domain @some.domain @example.com @your.domain.com @your.favorite.machine It's essentially a set of nested OR'd substring comparisons. An equivalent RE would be: /@(?:example\.domain|your\.domain|some\.domain|example\.com|your\.domain \.com|your\.favorite\.machine)\b/i That rule is the actual rule you'd use. You wouldn't need to change it based on your own domain, as all of those domains are bogus. They either refer to nonexistent domains commonly used in examples, or real domains (e.g. example.com) explicitly registered only for use in examples. If you see one of those domains in a recipient list, it's a pretty clear indication of automatic address harvesting and sloppy list cleaning. That's the spam sign this rule is checking for. -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Obama is a three-year senator without a single important legislative achievement to his name, a former Illinois state senator who voted "present" nearly 130 times. As president of the Harvard Law Review, as law professor and as legislator, has he ever produced a single notable piece of scholarship? Written a single memorable article? His most memorable work is a biography of his favorite subject: himself. -- Charles Krauthammer ----------------------------------------------------------------------- 65 days until the Presidential Election
