I've been getting a lot of spam lately from many domains (too many to blacklist) where the sender name follows this pattern: Name S. so the name followed by a white space, then by a single letter and finally a point. I was wondering if I could implement this in Spamassassin. With that in mind, here are my questions:
Which part of the header contains the sender name? I'm guessing the from header, but then postfix only shows me Email adresses in the logs so I'm a little confused there.
Assuming the answer to 1. is yes, is this a correct Spamassassin rule / correct regexp for what I want to achieve:
header NAME_SPACE_LETTER_POINT=~/((?:[a-z][a-z]+))(\s+)([a-z])(\.)/
score NAME_SPACE_LETTER_POINT 5.0
Thanks in advance for any suggestions / answers to these questions!
Syntax is almost right. It should be:
header NAME_SPACE_LETTER_POINT From =~ /((?:[a-z][a-z]+))(\s+)([a-z])(\.)/
Also the regex is wrong as they're case sensitive by default so it needs the i option added on the end. It also seems to have way too many brackets so I've trimmed them down a bit.
/([a-z][a-z]+\s+[a-z]\.)/i
It probably needs further restricting as it'll match "Name S." at any point in the From field, so would match the perfectly valid name "Samuel L. Jackson", for example.
I think the 3rd part of your question is a bit subjective. Personally I wouldn't give this particular rule a very high score as even if you did further restrict the regex, it still might hit some false positives. If the rule were targeting specific words/phrases that always are spam, then sure, giving it such a high score as to always mark them as spam is fine in my opinion.