On 4/9/11 10:51 AM, David F. Skoll wrote:
So you could (I suppose) legitimately reject a message with multiple From:
addresses that lacks a conforming Sender: header.
__L_HAS_SNDR looks for sender(s). BUT we need a 'one sender' rule
so, a meta rule like:
meta __MANY_FROM && ! __ONE_SENDER
should do it.
sender can't have FULLNAME, only email, and can't have multiple emails.
header __MANY_SENDER sender =~ /@.*@/
header __ONE_SENDER __L_HAS_SNDR && ! __MANY_SENDER
header __MANY_FROM From:addr =~ /@.*@/
but, I can't get many 'from' to trigger: with that, but this does work.
header __MANY_FROM From =~/(?:\@[^@]{5,30}){3}/
that (from your MANY_RECIPS). anyone want to pair it down do make it
less expensive?
suggest put in sandbox for a while? but, no reason it should not trigger
a score of 3 or more.
(pastebin available upon request, but:
From: <be...@domain.com>,
<jkee...@domain.com>,
<s...@domain.com>,
<a...@domain.com>,
<ageda...@domain.com>
Regards,
David.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
>*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best in Email Security, 2010 Network Products Guide
* King of Spam Filters, SC Magazine
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
