On Thu, 11 Jun 2009, Arvid Picciani wrote:
the amount of backscatter is getting out of control. I fear our MRA might
soon explode. I don't think this is "noise" anymore.
How many accounts are we talking about here?
If it is just one or two addresses, and the user(s) being 'spoofed' have
distinctive *names* on their genuine 'From' headers, then you can
test for quoted messages in the body that contain a From line withthe
correct address but a *wrong* 'name' in front of it.
To use your address as an example:
body LOC_NOTARVIS /^[ ]*From: "?([^A]|A[^r]|Ar[^v])[^<>@]+<a...@exys\.org>/
So any junk 'returned' to you as faked sender, containing, for example:
Returned
From: Bob smith <a...@exys.org>
....would trip over this rule.
Also note that if somehow your name is *stripped*, and only the address
appears, this rule will *not* trigger. It only works on *wrong* names
in front of your address. The use of [^<>@] keeps the rule from triggering
if someone has specified multiple addresses. You might not want this on a
body 'From' test, but I also use this as a header 'To' rule for some of
my clients to stop dictionary spam attacks.... :)
- Charles
