It appears that if you use the "ToCc" header, it does not show make the
real name part available. You have to just use "To:". I now have my
rule working. If anyone is interested, this rule will:
1. Look for To fields of the format "Real Name" <user@mydomain.com>
2. Look for To fields of the above format where the first four
characters are the same as the first four characters of the email address.
3. Look for To fields of the format "Last Name, First Name"
<user@mydomain.com> where the first four characters of the first name
are the same as the first four characters of the email address.
AND:
a) For a To: field where 1) is true but neither of 2) or 3) is true,
score it +0.75 OR
b) For a To: field where 1) is true and either of 2) or 3) is true,
score it -0.25.
This should help with spam that arrives with To: fields like: "Shelly
Sexbot" <yourname@yourdomain.com>.
Any comments? This is my first SA rule. Hope it helps someone.
Kevin
header __LOCAL_FAKE_TO_NAME1 To =~
/^.*".*"\s+<\S+\@mydomain\.com>\s*$/i
header __LOCAL_FAKE_TO_NAME2 To =~
/^.*"\s*(\S{4})[^,]*"\s+<\1\S*\@mydomain\.com>\s*$/i
header __LOCAL_FAKE_TO_NAME3 To =~
/^.*".*,\s*(\S{4}).*"\s+<\1\S*\@mydomain\.com>\s*$/i
meta LOCAL_FAKE_TO_NAME (__LOCAL_FAKE_TO_NAME1 &&
!(__LOCAL_FAKE_TO_NAME2 || __LOCAL_FAKE_TO_NAME3))
describe LOCAL_FAKE_TO_NAME TO: Addressed to a faked real name.
score LOCAL_FAKE_TO_NAME 0.75
meta LOCAL_REAL_TO_NAME (__LOCAL_FAKE_TO_NAME1 &&
(__LOCAL_FAKE_TO_NAME2 || __LOCAL_FAKE_TO_NAME3))
describe LOCAL_REAL_TO_NAME TO: Addressed to a real name.
score LOCAL_REAL_TO_NAME -0.25
real name part available. You have to just use "To:". I now have my
rule working. If anyone is interested, this rule will:
1. Look for To fields of the format "Real Name" <user@mydomain.com>
2. Look for To fields of the above format where the first four
characters are the same as the first four characters of the email address.
3. Look for To fields of the format "Last Name, First Name"
<user@mydomain.com> where the first four characters of the first name
are the same as the first four characters of the email address.
AND:
a) For a To: field where 1) is true but neither of 2) or 3) is true,
score it +0.75 OR
b) For a To: field where 1) is true and either of 2) or 3) is true,
score it -0.25.
This should help with spam that arrives with To: fields like: "Shelly
Sexbot" <yourname@yourdomain.com>.
Any comments? This is my first SA rule. Hope it helps someone.
Kevin
header __LOCAL_FAKE_TO_NAME1 To =~
/^.*".*"\s+<\S+\@mydomain\.com>\s*$/i
header __LOCAL_FAKE_TO_NAME2 To =~
/^.*"\s*(\S{4})[^,]*"\s+<\1\S*\@mydomain\.com>\s*$/i
header __LOCAL_FAKE_TO_NAME3 To =~
/^.*".*,\s*(\S{4}).*"\s+<\1\S*\@mydomain\.com>\s*$/i
meta LOCAL_FAKE_TO_NAME (__LOCAL_FAKE_TO_NAME1 &&
!(__LOCAL_FAKE_TO_NAME2 || __LOCAL_FAKE_TO_NAME3))
describe LOCAL_FAKE_TO_NAME TO: Addressed to a faked real name.
score LOCAL_FAKE_TO_NAME 0.75
meta LOCAL_REAL_TO_NAME (__LOCAL_FAKE_TO_NAME1 &&
(__LOCAL_FAKE_TO_NAME2 || __LOCAL_FAKE_TO_NAME3))
describe LOCAL_REAL_TO_NAME TO: Addressed to a real name.
score LOCAL_REAL_TO_NAME -0.25