Arlyle Consulting wrote:
Hi,
I have a question, and possible feature request.
I just installed SpamAssassin on my mail server a couple of days ago.
I've been closely studying the messages that get by SA and are spam,
and I've noticed something.
Many of the messages that are spam that SA misses has return addresses
that have 'mx' in the host part of the address. Here are examples:
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
I've had an email account on the Internet for 14 years, and I have
NEVER had to put anything like "mx5" in an email address. The only
thing I can think of that remotely resembles this is the old days of
Netcom when the addresses were all "ix.netcom.com". I suspect they
are including these "mx" subzone names because they are all valid
hosts in those domains (I checked with "dig", and they all return a
valid IP address).
What is needed is a rule that checks these return addresses and, if it
finds 'mx' as a subdomain, it gives it points. Regular expressions
are not my strong suit, but I think it would look something like this:
/[EMAIL PROTECTED]/
Hopefully everyone gets the jist.
It doesn't appear there's a rule like this currently. I'm wondering
if there is a way to add this type of rule?
You could easily add your own
header MY_FROM_MX From =~ /[EMAIL PROTECTED]/
score MY_FROM_MX 0.01
note: I removed the trailing .*, becuase it's redundant to end a regex
in a wildcard. They match substrings, so there's no value in adding them
on the end like that.
My only caution to you is this rule may match a lot of legitimate
commercial newsletters. If they're not important to you, that's not much
of a concern, but you might want to keep an eye out for it if you care
about them.