Skip wrote:
can you be more explicit. you got FPs with how many ','? did you have
an FP with 100?
[snip] ... Funny thing
is, when I ran the script against my spam folder, it had exactly ONE
hit--just this email in question. I have never seen a spam like that
before.
I only saw very few. which is why I believe the rule isn't a good spam
detector. it detects "bad practices" (using an addr book list instead of
a éreal" mailing list).
Just thinking aloud here: wouldn't it be a good idea to also the the
CC headers for the same conditions?
When I asked this question, my intention was to stimulate discussion as
to the worth of adding rules to my SA setup to also check the CC
header. This thread has been focused on the To: header, but I think I
will also include the CC rules. Thanks for the updated code though.
yes, in general, you check both. do that by using ToCc instead of To (in
SA rules I mean).
describe TO_HARVESTED To: obviously harvested
header TO_HARVESTED To =~ /\@(?:(?:(?:example|your|
some)\.domain)|(?:(?:example|your\.domain)\.com)|your\.favou?rite
\.machine)\b/
which becomes:
describe TO_HARVESTED To or Cc: obviously harvested
header TO_HARVESTED ToCc =~ /\@(?:(?:(?:example|your|
some)\.domain)|(?:(?:example|your\.domain)\.com)|your\.favou?rite
\.machine)\b/
The more I think about it, the "HARVESTED" rule really seems quite safe,
and I think it could be made more robust. Anyone sending mail to you
along with obvious made up email addresses like that is certainly up to
no good.
I don't think it will catch a lot of spam. so it's not worth the pain IMHO.
