Thanks for the tip. Due to my "newbie-ness" with these products I'm a little uncertain were to start. Amavis seems to build many rules, and interface with SA where it actually has options in it.
Would I build this rule within amavis or SA?
I'd do the rule as a SA rule, since it's SA's autolearner you want to affect.
And of course, could you (or someone) point me to some documentation or example?
http://wiki.apache.org/spamassassin/WritingRules
So for this header:
Received: from mattk-801-567.evi-inc.com (mattk-801-567.evitechnology.com [10.0.6.249])
by xanadu.evi-inc.com (8.12.8/8.12.8) with ESMTP id iBV0gIZP031926
Assuming my "internal machines" are 10.0.6.0/24, and all RDNS to evitechnology.com names, I might write:
header L_OUTBOUND_MAIL Received =~ /from .{1,60}\.evitechnology.com \[10\.0\.6\.\d{1,3}\]\).{0,10}by xanadu\.evi\-inc\.com .{1,50} with ESMTP id/s
score L_OUTBOUND_MAIL -1.0
Other, less specific variants:
header L_OUTBOUND_MAIL0 Received =~ /from .{1,60}\.evitechnology.com \[10\.0\.6\.\d{1,3}\]\).{0,10}by xanadu\.evi\-inc\.com/s
score L_OUTBOUND_MAIL0 -1.0
Caution: these last two are easily forged:
header L_OUTBOUND_MAIL2 Received =~ /from .{1,60}\.evitechnology.com \[10\.0\.6\.\d{1,3}\]\)/
score L_OUTBOUND_MAIL2 -1.0
header L_OUTBOUND_MAIL3 Received =~ /from .{1,60}\.evitechnology.com/
score L_OUTBOUND_MAIL3 -1.0