On 15/01/11 01:54, John Hardin wrote:
On Fri, 14 Jan 2011, Ned Slider wrote:
header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
describe NSL_RCVD_HELO_USER Received from HELO User
Might want to combine into a meta rule with existing
NSL_RCVD_FROM_USER rule:
header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
describe NSL_RCVD_FROM_USER Received from User
The above are particularly effective (here) against 419 / bank phish
type emails sent from compromised webmail accounts. Hit rate is not
great, but the FP count is near zero.
Ned, I put those into my sandbox when you first suggested them and they
are performing _quite_ well.
Hi John,
Yes, sorry - I had forgotten you tested these.
