I had a recent FP message that hit noth the SPOOF_COM2OTH and SPOOF_COM2COM rules. I don¹t think COM2OTH is appropriate: Jun 6 13:55:49.469 [26386] dbg: rules: ran uri rule SPOOF_COM2OTH ======> got hit: "http://www<DOT>MUNGED<DOT>com<DOT>temp.<DOT>livebooks." Jun 6 13:55:49.469 [26386] dbg: rules: ran uri rule SPOOF_COM2COM ======> got hit: "http://www<DOT>MUNGED<DOT>com<DOT>temp<DOT>livebooks<DOT>com"
A scan of the message shows that these two rules are hitting the same line. A quick check of my logs show 100% overlap in one direction: [mcdonalddj@sa ~]$ sudo grep SPOOF_COM2OTH /var/log/mail/info.log | grep -vc SPOOF_COM2COM 0 [mcdonalddj@sa ~]$ sudo grep SPOOF_COM2OTH /var/log/mail/info.log | grep -c SPOOF_COM2COM 26 [mcdonalddj@sa ~]$ sudo grep SPOOF_COM2COM /var/log/mail/info.log | grep -vc SPOOF_COM2OTH 13 I¹ll be disabling SPOOF_COM2OTH for now, but thought someone might want to look into it. I also see a single exception of s3.amazonaws.com from the rule. I might add livebooks to that list locally. -- Daniel J McDonald, CCIE # 2495, CISSP # 78281