Re: Rule Writing

[Lean Cornelius]

At 02:44 PM 8/11/2004 +0200, Lean Cornelius wrote: >I need to drop all mail where the From: and To: contain @xyz.com >I created this rule, but it's been dropping allot of legal mail. > >header __FAKE_FROM_MYCOMP           from =~ /(\@)(xyz)/ >header __FAKE_TO_MYCOMP             to =~ /(\@)(xyz)/ >meta FROM_MYCOMP_TO_MYCOMP (( __FAKE_FROM_MYCOMP + __FAKE_TO_MYCOMP) > 1) >score FROM_MYCOMP_TO_MYCOMP 20.0 >It should be fine as-is, which suggests some minor bug in the regexes that >I'm seeing, or in your conception of what should be blocked. >Have you looked at the headers of the false hits? Keep in mind that SA >treats multiple headers as From and To. From will match From, Return-path, >Resent-From and others. To will also match Cc. >Looking at that, was the message really from and to "mycomp"? If so, >perhaps you need to ditch your rule entirely, or improve it to have a >Received: header check as well. >  I would suggest simplifying the meta part. If you really want to make it >an "all items match" use && instead of + and >. >meta FROM_MYCOMP_TO_MYCOMP ( __FAKE_FROM_MYCOMP && __FAKE_TO_MYCOMP) Thanks for the advice Matt   I did not know that the to: will also match the cc: does the from: also match the cc ? That might be the reason for the mail being dropped.   All the mail that is sent internally are handled by Lotus. Lotus only send me the mail that leaves the network. So if I understand correctly.   If someone mail from the inside out (From: [EMAIL PROTECTED]) - (To: [EMAIL PROTECTED]) the rule won't drop the mail. This is correct. If someone mail from the inside out (From: [EMAIL PROTECTED]) - (To: [EMAIL PROTECTED]) - (CC: [EMAIL PROTECTED]) the rule will drop the mail. This is not what I want.   I handle all the mail from the internet to mycomp.   If someone mail from the outside in (From: [EMAIL PROTECTED]) - (To: [EMAIL PROTECTED]) the rule will drop the mail. This is correct, because I know that if a mail from the internet contain (From:[EMAIL PROTECTED]) it should be dropped. I have tried to block this in the spam.blacklist.rules file, but with no success. Is this possible? If someone mail from the outside in (From: [EMAIL PROTECTED]) - (To: [EMAIL PROTECTED]) the rule won't drop the mail. this is correct. If someone mail from the outside in (From: [EMAIL PROTECTED]) - (To: [EMAIL PROTECTED]) - (CC: [EMAIL PROTECTED]) the rule will drop the mail. This is not what I want.   So if this is correct, how can I tell SA to not match the cc ?   Once again thank for the help, I appreciate it