On 2 Apr 2018, at 1:33 (-0400), Rich Wales wrote:
[I tried asking this question a couple of days ago, but I've seen no
signs that it made it out to the list -- possibly because the sample
e-mail addresses I included in my question might have caused it to be
flagged as spam. So here goes again, this time with the addresses
mangled a bit.]
I see a lot of spam with "From:" lines where the left-hand side of the
address is essentially the same (modulo punctuation) as the "full
name"
portion of the address. The right-hand side, on the other hand, is a
random gibberish domain.
A few examples currently sitting in my local server's spam quarantine
(with the addresses edited so they hopefully won't trigger any spam
checks):
Adding To Human Lifespan <adding.to.human.lifespan (at)
garciniawiki (dot) com>
"Eliminate Fat Fast" <eliminate-fat-fast (at)
jeanettejtaylor
(dot) com>
"Home Warranty Special" <home_warranty_special (at)
racerville
(dot) com>
Smartphone Screen Protector
<smartphone.screen.protector (at)
dtqmp (dot) com>
Two questions:
Is it *technically possible* to create a Spamassassin rule which would
match this sort of "From:" line?
This (UNTESTED) should do it:
header THREE_WORD_MONTY From =~ /(\w+) (\w+) (\w+) <\1.\2.\3/
And assuming it can be done, is it *worthwhile* to do it?
Not a clue. Maybe worth a try?
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
