spamassassin-users January 2011 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: SARE and RulesDuJour still relevant

Re: SARE and RulesDuJour still relevant

From: Ned Slider <ned_at_nospam>
Date: Fri Jan 14 2011 - 23:09:29 GMT

On 14/01/11 21:04, Warren Togami Jr. wrote:
> Anyone else have effective local rules? Please let me know and I'll put
> them into the nightly masscheck for testing.
> Warren

header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
describe NSL_RCVD_HELO_USER Received from HELO User

Might want to combine into a meta rule with existing NSL_RCVD_FROM_USER

header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
describe NSL_RCVD_FROM_USER Received from User

The above are particularly effective (here) against 419 / bank phish
type emails sent from compromised webmail accounts. Hit rate is not
great, but the FP count is near zero.