On Sat, 2017-11-25 at 11:41 -0600, Jerry Malcolm wrote: > Thanks so much for all the info. I have installed KAM rules, and > I've > started becoming a ninja writing my own (simple) rules. MUCH > improved > results (amazing when you finally learn what your doing....) > > I figure before this is all over with, I'm going to have to become > very > knowledgeable about regex. But I'm not there yet. Just out of > curiosity, has anybody written a rule that checks if the 'from name' > contains "Amazon" but the 'from domain' name does not contain > "Amazon" > (or variations for Kohls, Target, etc)? That's definitely for the > sophomore class in regex, and I'm struggling with the freshman > class.... Any regex experts that can whip this out? > Or, if you want to make the rule very specific, you can do something like this:
describe FAKE_AMAZON_FROM Pick up who claim to be Amazon but aren't header __FAF1 from:name =~ /Amazon/ header __FAF2 from:address =~ /amazon\.com/i meta FAKE_AMAZON_FROM ( __FAF1 && !__FAF2 ) score FAKE_AMAZON_FROM 3.0 The two subrules with '__' prefixes don't generate scores but take true or false values which the meta rule can test. The meta rule only fires if the name contains 'Amazon' and the address does not contain it. Note that the __FAF2 rule matches regardless of the mix of upper and lower case letters in the domain name because the 'i' suffix makes it a caseless comparison. Martin
