I need to drop all mail where the From: and To: contain @xyz.com I created this rule, but it's been dropping allot of legal mail.
header __FAKE_FROM_MYCOMP from =~ /(\@)(xyz)/ header __FAKE_TO_MYCOMP to =~ /(\@)(xyz)/ meta FROM_MYCOMP_TO_MYCOMP (( __FAKE_FROM_MYCOMP + __FAKE_TO_MYCOMP) > 1) score FROM_MYCOMP_TO_MYCOMP 20.0
It should be fine as-is, which suggests some minor bug in the regexes that I'm seeing, or in your conception of what should be blocked.
Have you looked at the headers of the false hits? Keep in mind that SA treats multiple headers as From and To. From will match From, Return-path, Resent-From and others. To will also match Cc.
Looking at that, was the message really from and to "mycomp"? If so, perhaps you need to ditch your rule entirely, or improve it to have a Received: header check as well.
I would suggest simplifying the meta part. If you really want to make it an "all items match" use && instead of + and >.
meta FROM_MYCOMP_TO_MYCOMP ( __FAKE_FROM_MYCOMP && __FAKE_TO_MYCOMP)
