spamassassin-users January 2011 archive
Main Archive Page > Month Archives  > spamassassin-users archives
spamassassin-users: Re: SARE and RulesDuJour still relevant

Re: SARE and RulesDuJour still relevant

From: Ned Slider <ned_at_nospam>
Date: Fri Jan 14 2011 - 23:09:29 GMT
To: users@spamassassin.apache.org

On 14/01/11 21:04, Warren Togami Jr. wrote:
>
> Anyone else have effective local rules? Please let me know and I'll put
> them into the nightly masscheck for testing.
>
> Warren
>

header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
describe NSL_RCVD_HELO_USER Received from HELO User

Might want to combine into a meta rule with existing NSL_RCVD_FROM_USER
rule:

header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
describe NSL_RCVD_FROM_USER Received from User

The above are particularly effective (here) against 419 / bank phish
type emails sent from compromised webmail accounts. Hit rate is not
great, but the FP count is near zero.

Regards,

Ned