At 3:39 PM -0600 07/31/2013, Amir 'CG' Caspi wrote:
At 3:23 AM +0200 07/25/2013, Karsten Bräckelmann wrote:
header LOCALPART_IN_SUBJECT eval:check_for_to_in_subject('user')
And all of them do hit that rule. A super-set of the ADDRESS variant,
using the local part instead of the complete address. Still in stock
rules.
Hmmmmm. One of my users has received at least
two spams in recent days with his email address
in the Subject line. No LOCALPART or ADDRESS
rule hit on either email. sa-update is running
nightly and rules are being updated... any idea
why this check may not have been run, and/or may
not have hit?
I can provide a pastebin if it would be helpful.
A number of my users have been receiving spams
with their email addresses in the subject. As
Ian noted in an earlier email,
LOCALPART_IN_SUBJECT doesn't seem to hit for
email addresses, and ADDRESS_IN_SUBJECT appears
to have been removed, so these spams aren't
getting tagged for this obviously-spammy behavior.
Could ADDRESS_IN_SUBJECT be restored, and/or
could LOCALPART_IN_SUBJECT be expanded to hit
when the whole email address is embedded?
Unfortunately these spams aren't getting high
spam scores, which is why I'm noticing them.
Many get caught by Bayes, but not all.
Thanks.
--- Amir
