>header __FAKE_FROM_MYCOMP from =~ /(\@)(xyz)/
>header __FAKE_TO_MYCOMP to =~ /(\@)(xyz)/
>meta FROM_MYCOMP_TO_MYCOMP (( __FAKE_FROM_MYCOMP + __FAKE_TO_MYCOMP) > 1)
>score FROM_MYCOMP_TO_MYCOMP 20.0
>It should be fine as-is, which suggests some minor bug in the regexes that
>I'm seeing, or in your conception of what should be blocked.
>Have you looked at the headers of the false hits? Keep in mind that SA
>treats multiple headers as From and To. From will match From, Return-path,
>Resent-From and others. To will also match Cc.
I'm not positive, but I think To only matches 'to' and you use ToCc to match
both. I could be wrong though.
I would write your rules a little differently to try to be more specific in
what I was checking, but I don't really see an obvious problem with them as
they are. As other people have suggested, running the rules on a test mail
to see what hits would be the thing to do.
I'd adjust your rules to something like:
header __FAKE_FROM_MYCOMP From =~ /[EMAIL PROTECTED]/
header __FAKE_TO_MYCOMP To =~ /[EMAIL PROTECTED]/
meta FROM_MYCOMP_TO_MYCOMP (__FAKE_FROM_MYCOMP && __FAKE_TO_MYCOMP)
Loren
