> describe FORGED_HOTMAIL Hotmail with non-Hotmail Reply-to address > header __FORGED_HM1 From ~= /\...@hotmail\.com/i > header __FORGED_HM2 Reply-to ~= /\...@hotmail\.com/i > meta FORGED_HOTMAIL (__FORGED_HM1 && !__FORGED_HM2) > score FORGED_HOTMAIL 5.0 > > and write cookie cutter rules for Yahoo and Gmail. > > OTOH if you're happy that a Japanese test won't generate FPs you can > cover all three ISPs with one rule: > > describe FORGED_FROM Hotmail,Yahoo or Google with Japanese Reply-to > header __FF1 From ~= /\@(hotmail|yahoo|gmail)\.com/i > header __FF2 Reply-to ~= /\.jp/i > meta FORGED_FROM (__FF1 && __FF2) > score FORGED_FROM 5.0 > > Of course, if its just a few Japanese ISPs being used you can easily > make _FF2 more specific. >
I tried this for yahoo... describe FORGED_YAHOO Yahoo with non-Yahoo Reply-to address header __FORGED_YH1 From =~ /\...@yahoo\.com/i header __FORGED_YH2 Reply-to =~ /\...@yahoo\.com/i meta FORGED_YAHOO (__FORGED_YH1 && !__FORGED_YH2) score FORGED_YAHOO 0.25 And it triggered on a message with the following header http://pastebin.com/qs18DpYn My best guess is it is using the "In-Reply-To" header...is there a way to differentiate "In-Reply-To" and "Reply-To" ? Thanks, --Dennis
