On 14/01/11 21:04, Warren Togami Jr. wrote:
Anyone else have effective local rules? Please let me know and I'll put
them into the nightly masscheck for testing.
Warren
header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
describe NSL_RCVD_HELO_USER Received from HELO User
Might want to combine into a meta rule with existing NSL_RCVD_FROM_USER
rule:
header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
describe NSL_RCVD_FROM_USER Received from User
The above are particularly effective (here) against 419 / bank phish
type emails sent from compromised webmail accounts. Hit rate is not
great, but the FP count is near zero.
Regards,
Ned