On Mon, 12 Jul 2010, Michelle Konzack wrote:
----[ STDIN ]-----------------------------------------------------------
From coupond...@perezcentral.com Sun Jul 11 17:21:41 2010
Return-Path: <coupond...@perezcentral.com>
Delivered-To: linux4miche...@tamay-dogan.net
Received: from erona.perezcentral.com (erona.perezcentral.com
[::ffff:72.34.111.198])
by mail.tamay-dogan.net with esmtp; Sun, 11 Jul 2010 17:21:14 +0200
id 0002BDA9.4C39E16B.00001A98
To: linux4miche...@tamay-dogan.net
Date: Sun, 11 Jul 2010 08:20:47 -0700
From: "Coupon Dept." <CouponDeptdOS_V`CcOP
IW^GIdATOn2PbJK_/v...@perezcentral.com>
Subject: Your Complimentary Coupons
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Message-ID: <pine.lnx.4.31.030101.9935055.8720-1278861...@mail.perezcentral.com>
X-TDTools-Procmail: FILTER=FLT_weird_from, TLIST=FLT_weird_from,
WLIST=FLT_weird_from, COUNT=3
<snip>
------------------------------------------------------------------------
Rough first pass SA rule:
header T_FROM_CRAP1 From:addr =~ /[`\^:\]\[,?/"]/
describe T_FROM_CRAP1 characters we should not see in real from address
score T_FROM_CRAP1 0.1
header T_FROM_CRAP2 From:addr =~ /[...@]*\@[...@]*\@/
describe T_FROM_CRAP2 Real from address should not contain more than one @
score T_FROM_CRAP2 0.1
Untested. Warning could cause false positives. Some of those characters
-could- be used in legit addresses (EG X400 uses '/') but that's rare.
Test and adjust according to your mail environment.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
