Marcus Schopen wrote:
Am Montag, den 26.11.2018, 13:02 -0500 schrieb Dianne Skoll:
On Mon, 26 Nov 2018 17:55:57 +0100
Marcus Schopen <li...@localguru.de> wrote:
is always the same, but I can't catch it with blacklist_from. Can I
get
that from $entity->head->get('From') or any better ideas?
That should work, or you can open and read the file ./HEADERS, which
contains the message headers (unwrapped, so exactly one header per
line.)
I use a spamassassin rule now
header MY_HEADER_1 From =~ /^.*\@spammer\.com.*/
describe MY_HEADER_1 Header-Spam-Rule 1
score MY_HEADER_1 100
This will more or less work, but keep in mind that "spammer.com" might
better be shown in examples as "spoofvictim.com". The whole point of
this from the spammer's perspective is that mail clients will only
display the "known"/"trusted" address, hiding the *other* victim (the
compromised account). Most of the time *both* addresses in the From: on
these messages, however arranged, are innocent and unrelated to the
spammer. If you block either, you take the risk of blocking legitimate
mail.
I have a pair of subrules looking for two @ signs in the From: - one
just looks for two @ signs, the other looks for a specific variant with
two <>-wrapped normal email addresses. These get combined with a couple
of other factors in meta rules to build up the score.
-kgd
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
