On Sun, 27 Dec 2020, Kenneth Porter wrote:
--On Saturday, December 26, 2020 11:20 PM -0500 Bill Cole
wrote:
You definitely want to escape that '+' and catch the recipient instead of
sender:
header RULENAME To:addr =~ /\+.+\@/
score RULENAME -1
That looks like what I want. Although since my server is hacked to accept a
dot as separator, I can use [+.] in the pattern, with /[+.].+\@/. I can then
add exceptions with positive scores for the abusers.
You'll also need to check Cc: if you're looking at the message headers,
so two rules.
This would miss spams where the recipients are BCC'd, though.
To catch those you'd need to check for the address in a Received: header,
assuming your MTA adds the envelope recipient to the Received: header it
generates. For example, the "for <>" in this:
Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org
[95.216.194.37])
by ga.impsec.org (8.14.7/8.14.7) with ESMTP id 0BRHZ0H5027977
(version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
verify=FAIL)
for ; Sun, 27 Dec 2020 11:35:11 -0600
You might do:
header ABUSED_PLUS Received =~ /\bfor
/i
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Men by their constitutions are naturally divided in to two parties:
1. Those who fear and distrust the people and wish to draw all
powers from them into the hands of the higher classes. 2. Those who
identify themselves with the people, have confidence in them,
cherish and consider them as the most honest and safe, although not
the most wise, depository of the public interests.
-- Thomas Jefferson
---
211 days since the first private commercial manned orbital mission (SpaceX)