You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Lutz Petersen <lp...@shlink.de> on 2013/10/18 16:04:45 UTC
A way to score Number of Recipients in the To: Line ?
I'm searching a way to give some extra Score depending on the Number
of Recipients in the To: Headerline. In the last days there are
massive Spamruns that are not marked as Spam - but all of them have
a lot of Recipient Mail-Adresses in the To-Line (the last one more
than 50..). I didn't found any Rule that does this. Anyone knows
a solution ?
Lutz Petersen
Re: A way to score Number of Recipients in the To: Line ?
Posted by John Hardin <jh...@impsec.org>.
On Fri, 18 Oct 2013, Kevin A. McGrail wrote:
> On 10/18/2013 10:04 AM, Lutz Petersen wrote:
>>
>> I'm searching a way to give some extra Score depending on the Number
>> of Recipients in the To: Headerline. In the last days there are
>> massive Spamruns that are not marked as Spam - but all of them have
>> a lot of Recipient Mail-Adresses in the To-Line (the last one more
>> than 50..). I didn't found any Rule that does this. Anyone knows
>> a solution ?
>
> You might need to write a rule for multiple separators on the To: line or
> something tricky like that.
There are already subrules for this (__TO_TOO_MANY and __TO_WAY_TOO_MANY)
in my sandbox.
http://ruleqa.spamassassin.org/?daterev=20131017-r1533008-n&rule=%2FTOO_MANY&srcpath=jhardin
They aren't performing too well against the masscheck corpora, so I
haven't made metas to use them, but you may be able to leverage them in
metas for your specific traffic.
header __TO_TOO_MANY To =~ /(?:,[^,]{1,90}){30}/
header __CC_TOO_MANY Cc =~ /(?:,[^,]{1,90}){30}/
header __TO_WAY_TOO_MANY ToCc =~ /(?:,[^,]{1,90}){50}/
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
You do not examine legislation in the light of the benefits it
will convey if properly administered, but in the light of the
wrongs it would do and the harms it would cause if improperly
administered. -- Lyndon B. Johnson
-----------------------------------------------------------------------
505 days since the first successful private support mission to ISS (SpaceX)
Re: A way to score Number of Recipients in the To: Line ?
Posted by "Kevin A. McGrail" <KM...@PCCC.com>.
On 10/18/2013 10:04 AM, Lutz Petersen wrote:
>
> I'm searching a way to give some extra Score depending on the Number
> of Recipients in the To: Headerline. In the last days there are
> massive Spamruns that are not marked as Spam - but all of them have
> a lot of Recipient Mail-Adresses in the To-Line (the last one more
> than 50..). I didn't found any Rule that does this. Anyone knows
> a solution ?
>
> Lutz Petersen
I don't believe you will find that to be an accurate indicator of SPAM
unless you have a meta rule in mind. Spam and Ham both use multiple
recipients all the time so this is a waste of time in my off the cuff
opinion but I don't want to disparage you if you are certain you can use
it to identify the spam.
So with that said there is a multiple test flag that might work. I
believe it might be for more than one To: Header moreso than an email
with a To: Bob,Dave,Steve,Etc.
You might need to write a rule for multiple separators on the To: line
or something tricky like that.
Regards,
KAM
Re: A way to score Number of Recipients in the To: Line ?
Posted by Axb <ax...@gmail.com>.
On 10/18/2013 04:04 PM, Lutz Petersen wrote:
>
>
> I'm searching a way to give some extra Score depending on the Number
> of Recipients in the To: Headerline. In the last days there are
> massive Spamruns that are not marked as Spam - but all of them have
> a lot of Recipient Mail-Adresses in the To-Line (the last one more
> than 50..). I didn't found any Rule that does this. Anyone knows
> a solution ?
>
> Lutz Petersen
>
>
tflags multiple is what you're looking for
as a pointer, there should be similar rules using that in rules dir
if not there, look in SVN's sandbox dirs