On Tue, Nov 10, 2009 at 11:49 AM, John Hardin <jhar...@impsec.org> wrote:
> On Tue, 10 Nov 2009, rahlqu...@gmail.com wrote: > > On Tue, Nov 10, 2009 at 9:09 AM, John Hardin <jhar...@impsec.org> wrote: >> >> * rahlqu...@gmail.com <rahlqu...@gmail.com>: >>> >>>> >>>> Ok regex is not my strong suit by any means. Trying to get a match >>>>> for email addresses that start with a pipe character ( about 15% of my >>>>> spam is this ). >>>>> >>>> >>> Richard, could you post the headers from one such to pastebin so we can >>> see >>> exactly what you're talking about? >>> >> >> Here you are John; >> http://pastebin.com/m733a7113 >> >> And no, I do indeed mean sent to. >> > > Okay. > > Comment: it would be better to catch and reject these at the MTA level, if > at all possible. I'm sure one of the Postfix admins could suggest how to do > so. > > How about this? > > header ENV_TO_BAR Received =~ / for <\|/ > > You don't need to match the entire address syntax. > > You might want to tighten it up a tiny bit (assuming the headers weren't > sanitized): > > header ENV_TO_BAR Received =~ / by dark\.pcsites\.com .* for <\|/ > > > -- > I could reject at the MTA but I want it to help me to filter and train bayes, many of these are going to multiple users. I'll give these a whack and see if anything squeaks! Thanks!