On Tue, 20 Mar 2012, Nicolas de Bari Embriz Garcia Rojas wrote:
I am receiving to many emails (spam) containing the same FROM EQ TO
Initially tried to use SPF but spfquery returns 'NONE' and I couldĀ“t score it,
so I ended up with the following rules and so far working fine:
header __TOM_TO_EQ_FRa ALL =~ m/^From:\s+?<?(.+@.+)>?(\s|$)[^\0]*^To:.*\1/m
header __TOM_TO_EQ_FRb ALL =~ m/^To:\s+?<?(.+@.+)>?(\s|$)[^\0]*^From:.*\1/m
meta TOM_TO_EQ_FR __TOM_TO_EQ_FRa || __TOM_TO_EQ_FRb
score TOM_TO_EQ_FR 2.5
describe TOM_TO_EQ_FR To and From are the same, could be a cc or a forgery
There are already a bunch of "To = From" rules:
http://ruleqa.spamassassin.org/20120317-r1301890-n/%2FTO_EQ_F
They aren't performing very well against the current masscheck corpora,
but then spam levels are a little low.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #4: If your shooting stance is good,
you're probably not moving fast enough nor using cover correctly.
-----------------------------------------------------------------------
467 days since the first successful private orbital launch (SpaceX)