Hi all, I may have missed something in this thread, having just joined the maillist. So forgive me if this has already been discussed or what I am saying doesn't make sense with what y'all are talking about. :)
I ran into a similar problem when I tried to blacklist all mail from our companies domain name (pse.com) that was received on the external MX servers. Our internal email should never hit these MX servers and I listed a few IPs as Trusted Networks where I knew mail would come from. It worked fine, but only problem with this was the From or Return-Path fields are often modified by maillists (which I discovered after I implemented this and had to change it back). So you won't get your own posts to maillists and no one will see any posts to maillists that other people in the same company sent. I think you may have a similar problem with the rule your writing. If the score is kept low, it may push Spam over the threadhold and still allow real email from maillists through. Ted Barham MCSE, CCNA Senior Technical Systems Analyst Puget Sound Energy [EMAIL PROTECTED] 425-456-2240 -----Original Message----- From: Loren Wilton [mailto:[EMAIL PROTECTED] Sent: Thursday, August 12, 2004 12:24 AM To: [EMAIL PROTECTED] Subject: Re: Rule Writing >header __FAKE_FROM_MYCOMP from =~ /(\@)(xyz)/ >header __FAKE_TO_MYCOMP to =~ /(\@)(xyz)/ >meta FROM_MYCOMP_TO_MYCOMP (( __FAKE_FROM_MYCOMP + __FAKE_TO_MYCOMP) > 1) >score FROM_MYCOMP_TO_MYCOMP 20.0 >It should be fine as-is, which suggests some minor bug in the regexes that >I'm seeing, or in your conception of what should be blocked. >Have you looked at the headers of the false hits? Keep in mind that SA >treats multiple headers as From and To. From will match From, Return-path, >Resent-From and others. To will also match Cc. I'm not positive, but I think To only matches 'to' and you use ToCc to match both. I could be wrong though. I would write your rules a little differently to try to be more specific in what I was checking, but I don't really see an obvious problem with them as they are. As other people have suggested, running the rules on a test mail to see what hits would be the thing to do. I'd adjust your rules to something like: header __FAKE_FROM_MYCOMP From =~ /[EMAIL PROTECTED]/ header __FAKE_TO_MYCOMP To =~ /[EMAIL PROTECTED]/ meta FROM_MYCOMP_TO_MYCOMP (__FAKE_FROM_MYCOMP && __FAKE_TO_MYCOMP) Loren
