> Hi all,
> I am new to the list and want thank you in advance if you help me on this.
>
> I am creating the following rule:
>
> header VIRUS_DHL1FROM =~ /dhl-usa.com/i
> header VIRUS_DHL2ALL =~ /text inside the email to check for/i
> meta VIRUS_DHLTOTAL(VIRUS_DHL1 && VI
On Sat, 19 Nov 2011, Sergio wrote:
I am new to the list and want thank you in advance if you help me on this.
I am creating the following rule:
header VIRUS_DHL1FROM =~ /dhl-usa.com/i
header VIRUS_DHL2ALL =~ /text inside the email to check for/i
meta VIRUS_DHLTOTAL(
On Sat, 19 Nov 2011 05:42:43 -0600
Sergio wrote:
> header VIRUS_DHL2 ALL =~ /text inside the email to check for/i
This looks for the text in all of the headers. If you meant to look in
the body, then you want:
body VIRUS_DHL2 /text inside the email to check for/i
You should also consider
RW,
Now I understand why it gave a 1 point when I declared 11 on the score, lol.
I was trying to follow the spamassassin tutorial and saw the example, it
shows the two underscore but never said that they are kind of mandatory,
thanks a lot for pointing this out.
John Harding,
this is one header o
I finally make my MCP rule like this:
header __VIRUS_DHL1FROM =~ /dhl-usa.com/i
header __VIRUS_DHL2ALL =~ /CommuniGate Pro SMTP 5.2.3/i
meta VIRUS_DHLTOTAL(__VIRUS_DHL1 && __VIRUS_DHL2)
describe VIRUS_DHLTOTALCorreo con virus de DHL-USA
scoreVIRUS_DHLTOTAL11
On Sat, 19 Nov 2011, Sergio wrote:
this is one header of the emails that I received:
***
Received: from 90.red-217-126-251.staticip.rima-tde.net ([217.126.251.90])
by MY-SERVER with smtp (Exim 4.69)
(envelope-from )
id 1RQNQZ-0002Q1-QD
for my-u...@dom
Jhon,
thanks a lot for your suggestions I will apply them in my rule, thanks!.
Just a little bit more information about this emails, here is another
header where I got the CommuniGate Pro SMTP 5.2.3:
***
Received: from [81.145.136.213] (helo=dhl-usa.com)
by MY SER
On Sat, 19 Nov 2011, Sergio wrote:
meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) || (__ENV_FROM_UPS &&
__FROM_DHL)
scoreVIRUS_DHLTOTAL11
Fix the name on the score.
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
jhar...@impsec.orgFALaholic #
Thank you John,
it was a typo in my email, in my server I wrote the score name the same as
the meta name, the rule in my server is:
header __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl[^
.]+\.com/i
header __FROM_DHLFrom =~ /\bdhl[^ .]+\.com/i
header __ENV_FROM_UPSReceiv
On 11/20/2011 10:02 PM, Sergio wrote:
>
> header __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl[^
> .]+\.com/i
> header __FROM_DHLFrom =~ /\bdhl[^ .]+\.com/i
These will match any domain that starts with "dh" and ends with ".com".
For example, they will match "someu...@dhalail
On Mon, 21 Nov 2011, Bowie Bailey wrote:
On 11/20/2011 10:02 PM, Sergio wrote:
header __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl[^
.]+\.com/i
header __FROM_DHLFrom =~ /\bdhl[^ .]+\.com/i
These will match any domain that starts with "dh" and ends with ".com".
You ov
On 11/21/2011 11:35 AM, John Hardin wrote:
> On Mon, 21 Nov 2011, Bowie Bailey wrote:
>
>> On 11/20/2011 10:02 PM, Sergio wrote:
>>> header __ENV_FROM_DHLReceived =~ /envelope-from [^ @]+@dhl[^
>>> .]+\.com/i
>>> header __FROM_DHLFrom =~ /\bdhl[^ .]+\.com/i
>> These will match any d
Unfortunately, it seems that MCP doesn't like the rule:
header __ENV_FROM_DHLReceived =~ /envelope-from [^
@]+@dhl(?:[-_][^ .]+)?\.com/i
header __FROM_DHLFrom =~ /\bdhl(?:[-_][^ .]+)?\.com/i
header __ENV_FROM_UPS Received =~ /envelope-from [^
@]+@ups\.c
Did you try to monitor the log looking if the rule was detected?
El 21/11/2011 02:00 p.m., Sergio escribió:
Unfortunately, it seems that MCP doesn't like the rule:
header __ENV_FROM_DHLReceived =~ /envelope-from [^
@]+@dhl(?:[-_][^ .]+)?\.com/i
header __FROM_DHL
On 11/21/2011 1:30 PM, Sergio wrote:
> Unfortunately, it seems that MCP doesn't like the rule:
>
> header __ENV_FROM_DHLReceived =~ /envelope-from [^
> @]+@dhl(?:[-_][^ .]+)?\.com/i
> header __FROM_DHLFrom =~ /\bdhl(?:[-_][^ .]+)?\.com/i
> header __ENV_FROM_UP
That was the error, the @ has to be escaped \@, now it is working.
Thank you all for your help on this rule.
Regards,
Sergio
On Mon, Nov 21, 2011 at 1:16 PM, Bowie Bailey wrote:
> On 11/21/2011 1:30 PM, Sergio wrote:
> > Unfortunately, it seems that MCP doesn't like the rule:
> >
> > header
On Mon, 21 Nov 2011, Sergio wrote:
Unfortunately, it seems that MCP doesn't like the rule:
header __ENV_FROM_DHLReceived =~ /envelope-from [^
@]+@dhl(?:[-_][^ .]+)?\.com/i
header __FROM_DHLFrom =~ /\bdhl(?:[-_][^ .]+)?\.com/i
header __ENV_FROM_UPS Re
17 matches
Mail list logo
