Re: Another "this should have triggered more rules" post

Mon, 01 Sep 2008 11:48:36 -0700
can you be more explicit. you got FPs with how many ','? did you have an FP with 100? 


Sure.  When I ran it against my inbox, with 4587 "good" emails, I had 
130 hits on MATCH20 and 2 hits on MATCH50, or 2.877% (0 with MATCH100).  
The interesting thing is, if you think about it, people who routinely 
send emails to lots of people (jokes, family updates, whatever--you know 
who I mean), well, I think they will be on most people's whitelists in 
the first place.  A compete stranger, or even someone who you do know, 
probably isn't going to send you an email along with 49 of his/her 
closest friends as his first email to you.  Although, it is not beyond 
the realm of possibility.  For instance, I am starting a new job 
tomorrow (true--I just retired from the military after 20 years of 
service).  Let's say there's a person who sends out a certain report and 
it goes to 100+ people.  Normally, I will get this at my work address.  
Now, a few weeks from now, I need him to send it to my home address, 
just that once.  Now, he has never sent me anything and this comes in.  
Bang.  So there is definitely risk.  I would assign it a relatively low 
score, probably no more than 1/3 of your spam threshold.  Funny thing 
is, when I ran the script against my spam folder, it had exactly ONE 
hit--just this email in question.  I have never seen a spam like that 
before.



Just thinking aloud here: wouldn't it be a good idea to also the the 
CC headers for the same conditions?



When I asked this question, my intention was to stimulate discussion as 
to the worth of adding rules to my SA setup to also check the CC 
header.  This thread has been focused on the To: header, but I think I 
will also include the CC rules.  Thanks for the updated code though.




describe TO_HARVESTED To: obviously harvested
header   TO_HARVESTED To =~ /\@(?:(?:(?:example|your|
some)\.domain)|(?:(?:example|your\.domain)\.com)|your\.favou?rite
\.machine)\b/


The more I think about it, the "HARVESTED" rule really seems quite safe, 
and I think it could be made more robust.  Anyone sending mail to you 
along with obvious made up email addresses like that is certainly up to 
no good.


--
Get my PGP Public key here:
http://pelorus.org/[EMAIL PROTECTED]


























					Reply via email to