I'd go a step farther ... mail sent outside of the work day (local *and* EST) is more commonly spam.
My current assumption (not yet backed by stats) is to add points to anything between 12a-6a EST that is also between 1a-5a locally. In addition, some points (but not as many) can be awarded to weekend emails in some situations (not at my workplace though). I have a (poorly-written) plugin that does the latenight check now, but I don't know how to get it to parse the headers (it actually uses gmtime() and localtime() at the moment!) ################# # Spammers often send their mail late-night to avoid reporting and # utilize higher bandwidth without so much attention (how # considerate!). Legitimate mail is less commonly sent so late. # TODO: _check_date_received() Mail::SpamAssassin::Plugin::HeaderEval sub check_latenight { my ($self, $msg) = @_; my @gmt = gmtime(time); my @local_time = localtime(time); my $est = $gmt[2] - 5; # yeah, no DST ... meh, 1h slow is ok my $hour = $local_time[2]; # between midnight and 6am in New York AND between 1a and 5a local if ( $est < 6 && 1 < $hour && $hour < 5 ) { return 1; } return 0; } ################## header __KHOP_BULK Precedence =~ /bulk|list/ header __LATENIGHT eval:check_latenight() meta KHOP_LATENIGHT __LATENIGHT && !ALL_TRUSTED && !__KHOP_BULK describe KHOP_LATENIGHT Supposedly personal mail received late at night score KHOP_LATENIGHT 0.25