Thank you for the answers. @Jason Bertoch - I'll try to upgrade, although it will be a difficult task (many corporate mails). @Daniel McDonald - Nice rules, I'm going to integrate it too and see what happens. Funny keywords :D - thanks. @John Hardin - Your suggestion led me to a very good link: http://www.owlriver.com/spam/stop-spam.html
-----Original Message----- From: Daniel McDonald [] Sent: Tuesday 07, December 12, 2010 16:46 To: spamassassin Subject: Re: spam with different "Received" and "To" headers On 12/7/10 8:20 AM, "Florescu, Dan Alexandru" <> wrote: > Hi, > > In the last few days some spam messages have been able to elude the filters I > use. Upon checking the headers, it seems to be following the same pattern. > > I just earned $31 in a few hours at home on the computer! I went to - Business > Week Journal* You will thank me > ----- > * this is a <a href=virus_link>Business Week Journal</a> link > > My question is: shouldn't there be a rule to verify that the mail specified at > "To:" header actually corresponds to the one at "Received: [...] for <>"? > This would be a very effective spam catching rule. No, it would be a really bad rule, for lots of reasons. I am trying to catch these by looking for the body pattern: I {verbed} {money} {verbing} {uri} {salutation} Here is my current rule. I'd love to get more verbs to add to it, based on more examples. They seem to have a pretty good thesaurus... body __SOME_MONEY_HUNDREDS /\$\d{2,3}\b/ describe __SOME_MONEY_HUNDREDS Has a dollar amount up to $one thousand body __EASY_MONEY /\bI\b.{0,10}(?:racked|pulled|scored|made|profited|earned)/ describe __EASY_MONEY talks about making easy money body __EASY_WORK /(?:being online|doing\s(?:(?:simple|easy)\s)?(?:tasks|things|stuff)|working at home|on the computer)/ describe __EASY_WORK talks about the work being simple meta AE_WORKFROM_HOME __EASY_MONEY && __SOME_MONEY_HUNDREDS && __EASY_WORK && __DOS_HAS_ANY_URI describe AE_WORKFROM_HOME work from home spam score AE_WORKFROM_HOME 1.00 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281 The information contained herein is intended for its addressee(s) only and it is privileged or otherwise confidential. Any unauthorized distribution, amendment or disclosure hereof is strictly forbidden by the law. Please find complete and translated versions at http://www.rompetrol.com/disclaimer.html