We need to figure out why that rule isn't hitting your spam. When you look at the headers, what is the SA score on those that are getting through? If you see that it's not hitting for some reason, something is wrong with the set up. If you see it is hitting, then you might have a higher spam score requirement then what we are assigning in that rule. Sometimes I will write several rules, just to make sure that legit mail can still sneak past.
It's probably because of my custom set up, however, that mine are getting blocked. I have an extensively trained Bayesian database, plus I raise some rules scores as well - giving that little extra push for these annoying messages. Right now the "(name) wrote:" spam is hitting these rules for our servers:
3.50 BAYES_99 Bayesian spam probability is 99 to 100%
2.86 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters
4.50 NAMEWROTE
1.00 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
2.40 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level above 50%
1.00 RAZOR2_CHECK Listed in Razor2 (
http://razor.sf.net/)
So the only "wrote:" spam rule I have is this:
Code:
## (NAME) WROTE:
header NAMEWROTE Subject =~ /.*wrote\:/i
score NAMEWROTE 4.500
You could also add another like so:
Code:
## (NAME) WROTE2:
header NAMEWROTE2 Subject =~ /.*wrote/i
score NAMEWROTE2 2.200
This way if the "wrote:" (with the colon) is there, it hits both and ups the score. If someone puts in their legit mail subject "I wrote to you yesterday!" it will only hit the smaller score and lessen the chance for a false positive. But for those that it is not hitting, check your High Spam Score on those email accounts that these are slipping past. If you have a high spam score of 12 needed, and the spam is hitting a score of 9 only, they will come through. Use the tools you have (bayesian database, DCC, Razor, etc) to get your system to the point that these will be blocked. Hope this helps...