http://bugzilla.spamassassin.org/show_bug.cgi?id=3132
Summary: Rule suggestion
Product: Spamassassin
Version: 2.63
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Rules
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]
In going through a large amount of junk mail, I've noticed a certain Received:
header that doesn't appear in valid mail. I've run it past a couple of corpi,
and that seems to be borne out. Here's the rule:
header CRF_RATWARE_ZOMBIE Received =~ /from
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3} by
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3};/
describe CRF_RATWARE_ZOMBIE Relayed through probable spammer zombie
score CRF_RATWARE_ZOMBIE 0.75
The idea is to catch Received: headers that contain two IP addresses
separated by the word "by" and little else.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
