On Sun, 2008-11-02 at 22:36 -0500, Micah Anderson wrote:
> Joseph Brennan writes:
>
> >> Reply-to: s.team43@live.com

> >
> >
> > First pass:
> >
> > header LOCAL_REPLYTO_LIVE Reply-to =~ /\@live\.com/
> > score LOCAL_REPLYTO_LIVE 8.0
> >
> > Maybe scoring 8.0 for one thing scares you, but I haven't seen this
> > fp in a couple of months.

>
> Is live.com a legitimate email sender? It looks microsoft related. If I
> set it to 8, then any mail from that address is surely to get caught as
> spam, which may not be the right thing depending on other potential
> legitimate addresses sending from that domain.
>

The latest pharmacy scam to get through my filters has a URI that
matches:

^http:.*\.spaces\.live\.com\/$

in its body but the From: header identifies a completely unrelated
address. Would a rule that tags messages with this From and URI combo be
useful or would it generate too many FPs?


Martin