Hosting Provided By

Re: How to stop these?

From: Robert Fitzpatrick <lists(at)webtent.net>
Date: Fri Aug 24 2007 - 12:28:58 EDT

On Fri, 2007-08-24 at 06:48 -0700, John D. Hardin wrote:
> On Fri, 24 Aug 2007, Robert Fitzpatrick wrote:
>
> > Anyone seen these, first reported to us today, but a lot...can
> > they be stopped. Bayes even gives negative score...we are running
> > SA 3.2.1 with SARE rules, Botnet, KAM, chickenpox...
> >
> > http://esmtp.webtent.net/mail1.txt
>
> Hrm. About the only useful thing I can see is the number of
> recipients. You might want to add a point for more than ten or so
> addresses in the TO: header. I posted some rules for that a few days
> ago.

Thanks for the ideas, I found your rules, but don't seem to fire on my message after updating to 15...

(?:,[^,]{1,80}){15}

I'm new to my own rules. I know regex's in Perl, SQL, etc. And actually it seems that yours is one off, where there were 15 recipients in my message, it started matching at 14, not 15. Using the above, the first address is not being picked up...thanks gain.

-- 
Robert

Received on Fri Aug 24 12:30:07 2007

This message: [ Message body ]
Next message: hamann.w(at)t-online.de: "Re: non-phish corpus?"
Previous message: Kracht, Tim: "Ipower Webhostig with Spamassasin"
In reply to: John D. Hardin: "Re: How to stop these?"
Next in thread: bgodette(at)idcomm.com: "Re: How to stop these?"
Reply: bgodette(at)idcomm.com: "Re: How to stop these?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Thu Oct 25 2007 - 01:35:55 EDT