You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by wvpTV <re...@wvptv.co.uk> on 2010/10/14 16:01:31 UTC
Checking FROM FIELD for Keywords
We've seen a recent explosion in spam that SpamAssassin does not flag, it
seems mainly because the FROM (sender) field is being used for subject
content, eg: VIAGRA, PORN etc etc
Can anyone tell me how far off a standard filter update might be to carry
out checks on the FROM field?
Thanks.
--
View this message in context: http://old.nabble.com/Checking-FROM-FIELD-for-Keywords-tp29962674p29962674.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Checking FROM FIELD for Keywords
Posted by John Hardin <jh...@impsec.org>.
On Thu, 14 Oct 2010, John Hardin wrote:
> On Thu, 14 Oct 2010, wvpTV wrote:
>
>> We've seen a recent explosion in spam that SpamAssassin does not flag,
>> it seems mainly because the FROM (sender) field is being used for
>> subject content, eg: VIAGRA, PORN etc etc
>>
>> Can anyone tell me how far off a standard filter update might be to
>> carry out checks on the FROM field?
>
> There is a FROM_IN_TO_AND_SUBJ rule in my sandbox that is performing
> well in masschecks.
Argh. I totally misinterpreted what you're asking. Sorry for the noise!
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Our government wants to do everything it can "for the children,"
except sparing them crushing tax burdens.
-----------------------------------------------------------------------
64 days until TRON Legacy
Re: Checking FROM FIELD for Keywords
Posted by John Hardin <jh...@impsec.org>.
On Thu, 14 Oct 2010, wvpTV wrote:
> We've seen a recent explosion in spam that SpamAssassin does not flag,
> it seems mainly because the FROM (sender) field is being used for
> subject content, eg: VIAGRA, PORN etc etc
>
> Can anyone tell me how far off a standard filter update might be to
> carry out checks on the FROM field?
There is a FROM_IN_TO_AND_SUBJ rule in my sandbox that is performing well
in masschecks. I believe it's in the current sa-update.
http://ruleqa.spamassassin.org/20101013-r1022028-n/FROM_IN_TO_AND_SUBJ/detail?srcpath=jhardin
You might want to check your scores, though; it hasn't been around long
enough to go through a net masscheck so some of the scores are still
unset.
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/scores/72_scores.cf?view=markup
If this rule isn't appropriate, could you post a spample to pastebin so I
can get a look at the headers?
Thanks!
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
People seem to have this obsession with objects and tools as being
dangerous in and of themselves, as though a weapon will act of its
own accord to cause harm. A weapon is just a force multiplier. It's
*humans* that are (or are not) dangerous.
-----------------------------------------------------------------------
64 days until TRON Legacy
Re: Checking FROM FIELD for Keywords
Posted by wvpTV <re...@wvptv.co.uk>.
Jared Hall-2 wrote:
>
> Use the From:name check. Example:
>
> header BAD_NAME From:name =~ /(Penny
> Auctions|\bFree\b|\bCialis\b|\bViagra)/i
> score BAD_NAME 5.0
>
>
Thanks Jared
--
View this message in context: http://old.nabble.com/Checking-FROM-FIELD-for-Keywords-tp29962674p29964438.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Checking FROM FIELD for Keywords
Posted by Jared Hall <jh...@tbi.net>.
Use the From:name check. Example:
header BAD_NAME From:name =~ /(Penny
Auctions|\bFree\b|\bCialis\b|\bViagra)/i
score BAD_NAME 5.0
Use caution, as always. Mind your regexes. For instance, in this
example, heaven forbid a
user named Joe Viagraola sends an Email, blah, blah, blah.
Regards,
Jared Hall
General Telecom, LLC.
wvpTV wrote:
> We've seen a recent explosion in spam that SpamAssassin does not flag, it
> seems mainly because the FROM (sender) field is being used for subject
> content, eg: VIAGRA, PORN etc etc
>
> Can anyone tell me how far off a standard filter update might be to carry
> out checks on the FROM field?
>
> Thanks.
>
>