On Mon, 5 Feb 2018, Alex wrote:
Hi,
Is it possible to identify if the Subject contains the sender?
You mean like __SUBJ_HAS_FROM_1 ?
I realize this probably isn't a significant spam indicator, but I think
it would be helpful.
From: example.com <r...@multiviscomindo.com>
To: mor...@example.com
Subject: mor...@example.com You have just 15 hours to verify your account
That example is the *recipient*. __TO_IN_SUBJ
Neither one is very useful by itself, they would have to be meta'd with
other rules, like subject =~ /verify your account/ - which will probably
be strong enough signs on their own.
I'm also thinking the From with just the domain is a variation of what
we saw a few weeks ago with the attempt to confuse the sender.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim IV: Close air support covereth a multitude of sins.
-----------------------------------------------------------------------
Tomorrow: the first Falcon Heavy test launch