Re: Phishing rules?
On Sun, 2008-11-02 at 22:36 -0500, Micah Anderson wrote:[color=blue]
> Joseph Brennan <firstname.lastname@example.org> writes:
> >> Reply-to: [email]email@example.com[/email][/color]
> > First pass:
> > header LOCAL_REPLYTO_LIVE Reply-to =~ /\@live\.com/
> > score LOCAL_REPLYTO_LIVE 8.0
> > Maybe scoring 8.0 for one thing scares you, but I haven't seen this
> > fp in a couple of months.[/color]
> Is live.com a legitimate email sender? It looks microsoft related. If I
> set it to 8, then any mail from that address is surely to get caught as
> spam, which may not be the right thing depending on other potential
> legitimate addresses sending from that domain.
The latest pharmacy scam to get through my filters has a URI that
in its body but the From: header identifies a completely unrelated
address. Would a rule that tags messages with this From and URI combo be
useful or would it generate too many FPs?