Yasou NiKo,
There are a few things that might be going on here. What is the average score
of the ham e-mails that you are getting through. The reason I’m asking is can
you possibly bring down your required=5.5 score? Every installation is
different but our required= score is set to 3.6 and
> The "[..]" construct is called a character class, and contains a set of
> characters or character ranges that should match a single character in the
> source. So "[0-9a-f]" matches a single character that is either a digit 0-9
> or a letter a-f (those example addresses looked suspiciously
There is a small chance of false positives, i.e. you are catching *all* email
addresses beginning with airecom612. You could be a bit more specific and
require a hexadecimal string of at least 16 characters also:
header SPAM11OctF1 From:addr ~=
> Appending the modifier “:addr” to a header name will remove everything from
> that header except the first email address. If you are using an anchored
> regexp on the email address, then the From:addr test should work, i.e.
>
>
>
> header SPAM11OctF1 From:addr ~=
>
On Fri, Oct 14, 2016 at 2:21 AM, Tom Hendrikx wrote:
>
>
>
> On 13-10-16 10:12, Indunil Jayasooriya wrote:
>>>
>>> You should probably also match only the address, not the full From line,
>>> especially when you're anchoring:
>>
>>
>> what's the difference between From and
Put this in your local.cf
score BAYES_996.0
Personally I think 6.0 is a bit high. There is significant risk of false
positive if one single rule can give enough points to block the message.
Are you using network tests (RBL blocklists, etc.)? These are usually very
effective.
Appending the modifier “:addr” to a header name will remove everything from
that header except the first email address. If you are using an anchored regexp
on the email address, then the From:addr test should work, i.e.
header SPAM11OctF1 From:addr ~=