On Sat, 7 Jun 2014, Karsten Bräckelmann wrote:
On Fri, 2014-06-06 at 18:36 -0600, Philip Prindeville wrote:
On Jun 6, 2014, at 3:50 PM, Axb <[email protected]> wrote:
If you have to post a spam sample, pls use pastebin and post the full msg
Here’s a prototype:
http://ur1.ca/hgxkx
That Return-Path really sticks out. It's basically the From: address
with embedded To: address.
The following rule (beware, entirely untested) would match that pattern.
A camel-cased string, hyphen, email address with equal sign substituted
for "@", followed by @ (and an arbitrary domain).
header CAMEL_CASE Return-Path:addr =~
/^(?:[A-Z][a-z]+){3,}-user=recipient\.net@/
You will of course have to substitute your address. If there are
multiple valid user names, you could use something like /[a-z]+/ instead
of an actual user name.
It would be possible to do a multiple-header rule with captures and
backreferences to capture the camel-case, destination email and source
domain parts and verify that the Return-Path+From+To header triplet
matches this pattern.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
[email protected] FALaholic #11174 pgpk -a [email protected]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
When I say "I don't want the government to do X", do not
automatically assume that means I don't want X to happen.
-----------------------------------------------------------------------
Today: the 70th anniversary of D-Day
