|
Purpose: |
If there is only a single To recipient, check to see if it is identical to the From address. |
|
Action: |
Quarantine if there is a single To recipient, and it is the same as the address found on the From field. |
|
Default state: |
Enabled |
|
False Positive: |
This rule is highly accurate but there is a small chance of false positives. That happens when the sender actually sends the message to him/herself, and the intended recipient on your LAN is actually a blind carbon-copy recipient. Fortunately this is a rather odd manner of sending a legitimate message, but it is one that many spammers do as a convenience. |
|
Other notes: |
Many spam messages have been observed to have the same address (ignoring descriptive text for the full name) on the "To" and "From" lines. Thus the intended recipient shows up only as an address in the RFC-821 RCPT TO command, which effectively makes the person receiving the message a blind carbon copy recipient. This situation arises primarily because the spammers are too lazy to create a separately addressed message for each spam victim. Upon recognizing this condition, Praetor rejects the message and ends subsequent testing. See sample below. |
Received: from flashmail.com by www.textiles.org.tw
via SMTP (940816.SGI.8.6.9/940406.SGI.AUTO)
id TAA08399; Tue, 12 Jan 1999 19:48:30 +0800
From: freedomnow@newmail.net
Message-Id: <199901121148.TAA08399@www.textiles.org.tw>
Date: 1/11/99 11:28:24 AM Pacific Daylight Time
Reply-To: freedomnow@newmail.net
To: freedomnow@newmail.net
Subject: $$$$$ MONEY $$$$$
*** $100,000+ FIRST YEAR INCOME ***
:
:
: