Re: SARE and RulesDuJour still relevant

Fri, 14 Jan 2011 15:09:59 -0800 

On 14/01/11 21:04, Warren Togami Jr. wrote:


Anyone else have effective local rules? Please let me know and I'll put
them into the nightly masscheck for testing.

Warren




header          NSL_RCVD_HELO_USER      Received =~ /helo[= ]user\)/i
describe                NSL_RCVD_HELO_USER      Received from HELO User


Might want to combine into a meta rule with existing NSL_RCVD_FROM_USER 
rule:


header         NSL_RCVD_FROM_USER       Received =~ /from User [\[\(]/
describe       NSL_RCVD_FROM_USER       Received from User


The above are particularly effective (here) against 419 / bank phish 
type emails sent from compromised webmail accounts. Hit rate is not 
great, but the FP count is near zero.


Regards,

Ned






















					Reply via email to