On Fri, 10 Mar 2017, Michael Grant wrote:
[snip..]
The problem is caused by innocentbytan...@ymail.com IN THE BODY!
This seems a bit overzealous. It seems like a bit of an over-reach to look at
headers in the BODY of the message.
This is an excellent rule except for this rude message body cavity search!
I suggest only searching the headers in this rule.
If you really feel it aught to search the body like this, can you please split
it into 2 rules:
1) the existing rule which searches the body+headers, and
2) a second that only searches the headers.
It is not uncommon for spammers to embed a "contact me at my private address"
line in the body of scam-mails (EG 914, or "I found some money and I'd like your
help..." or "do you need a loan?") stuff.
Just searching for freemail systems in the From or ReplyTo headers by themselves
isn't as powerful as there are lots of Ham mails that have freemail From or
ReplyTo.
So yes it is important to find those body addresses and check to see if they
match/NOT the "From:" address (that's its strength).
If you want to test this, there is a variant rule provided by the FreeMail
plugin which only checks the headers (check_freemail_from &
check_freemail_header).
Just look for hits on FREEMAIL_FROM, you'll probably find it hits more Ham than
Spam.
As you found there is the risk of FPs, so don't score this rule as a
one-shot-kill unless you're willing to accept the damage or have other
mechanisms to mitigate the damage.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
