Re: Another "this should have triggered more rules" post

[Skip]

John Hardin wrote: On Sun, 2008-08-31 at 14:33 -0400, Skip wrote: describe TO_HARVESTED To: obviously harvested header TO_HARVESTED To =~ /\@(?:(?:(?:example|your| some)\.domain)|(?:(?:example|your\.domain)\.com)|your\.favou?rite \.machine)\b/ Can you tell me how this rule works? Or give a more realistic example (in my case I would use pelorus.org, so feel free to demonstrate with that) It checks for any of the following domains in the To: list of addresses: @example.domain @your.domain @some.domain @example.com @your.domain.com @your.favorite.machine It's essentially a set of nested OR'd substring comparisons. An equivalent RE would be: /@(?:example\.domain|your\.domain|some\.domain|example\.com|your\.domain \.com|your\.favorite\.machine)\b/i That rule is the actual rule you'd use. You wouldn't need to change it based on your own domain, as all of those domains are bogus. They either refer to nonexistent domains commonly used in examples, or real domains (e.g. example.com) explicitly registered only for use in examples. If you see one of those domains in a recipient list, it's a pretty clear indication of automatic address harvesting and sloppy list cleaning. That's the spam sign this rule is checking for. Oh, I get it--I thought I was supposed to replace "your.domain" with my email domain or something like that.  How clever.  Yeah, those would be obviously harvested, that's for sure.  Good rule. -- Get my PGP Public key here: http://pelorus.org/[EMAIL PROTECTED]