Based on the header you provided the following should work fine unless you have another variation?
HEADERS 0 PCRE (?im:X-GBUdb-Analysis.+Source New) David Barker Mail’s Best Friend Email : [email protected] Web : www.mailsbestfriend.com Office : 866.919.2075 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of John Tolmachoff Sent: Wednesday, August 12, 2015 6:39 PM To: [email protected] Subject: [MBF] Re: Gauntlet addition suggestion Here are the lines added by SNIFFER: X-MessageSniffer-Identifier: C:\Interceptor\Alligate\spool\proc\work\002343458.dta X-GBUdb-Analysis: 0, 157.7.188.124, Ugly c=0 p=0 Source New X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-0-0-2087-c The email in question is indeed SPAM and/or malicious, with the body being a http link to a website. -----Original Message----- From: "David Barker" <[email protected]> Sent: Wednesday, August 12, 2015 2:01pm To: [email protected] Subject: [MBF] Re: Gauntlet addition suggestion If SNF has already triggered and scored the message there is no real reason to move it to the GAUNTLET as it has already been identified, however you could use a filter as you suggest below. Can you provide an actual line from a header line you want to trigger on so I can validate the PCRE ? David Barker Mail’s Best Friend Email : [email protected] Web : www.mailsbestfriend.com Office : 866.919.2075 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of John Tolmachoff Sent: Wednesday, August 12, 2015 4:33 PM To: [email protected] Subject: [MBF] Gauntlet addition suggestion With SNIFFER running before GAUNTLET, I had an idea of using X-GBudb-Analysis line with "Source New" as a catch for GAUNTLET. Any thoughts? What would the line in the GAUNTLET file be for that? HEADERS 0 PCRE (?i(X-GBUdb-Analysis:[a-z0-9-_ =,]Source New)) John T eServices For You ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]> ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]> ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]> ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[email protected]> To switch to the DIGEST mode, E-mail to <[email protected]> To switch to the INDEX mode, E-mail to <[email protected]> Send administrative queries to <[email protected]>
