In every domain I manage, we receive spam directed to [EMAIL PROTECTED]
I can't imagine I'm the only one.
Apparently some address harvester somewhere along the way harvested and
then mangled [EMAIL PROTECTED], dropping the leading "we" and
replacing the "ter" with "tgr".
I created this rule today, which hits 1.2% of all spam in my corpus (950
of 79,437), and no ham (of 17,831).
It depends on some email system somewhere along the Received chain
indicating that this is the addressee. I used this rather than ToCc, to
capture emails where the destination is hidden in a bcc list.
I'm scoring this equal to my Requred Hits parameter.
header RM_bmastgr Received =~ /for bmastgr\@/
describe RM_bmastgr Directed to invalid address often used by spammers
score RM_bmastgr 9.000 # 950s/0h of 97268 corpus (79437s/17831h) 01/29/04
Even better, since it will catch use of this address in a TO, CC, and/or
From header, might be:
header __RM_bmastgr1 Received =~ /for bmastgr\@/
header __RM_bmastgr2 ToCc =~ /\bbmastgr\@/
header __RM_bmastgr3 From =~ /\bbmastgr\@/
header __RM_bmastgr4 Envelope-to =~ /\bbmastgr\@/
header __RM_bmastgr5 Subject =~ /\bbmastgr\b/
meta RM_bmastgr ( __RM_bmastgr1 || __RM_bmastgr2 || _RM_bmastgr3 |
RM_bmastgr4 | _RM_bmastgr5 )
describe RM_bmastgr Directed to/from invalid address often used by spammers
score RM_bmastgr 9.000 #
I don't yet have stats for this meta rule (I haven't even linted it yet).
Does anyone see any problems with this concept or these specific rules?
Does anyone have similarly known to be invalid and globally applicable
addresses we might test for within this rule?
Bob Menschel
�5^){([G%�
N�zwޭzΥӢl
ޖfz{Z'+jب'�杶���bǚrد܅yj)^`i0%�r�ҥƬ)jY&j)b
bԩjf,{ZIb,y+�m+-.ǟ�+-bا~쥩Ƭ)jY
