I'm trying to understand why this rule fires on some messages: meta PHISH_ZIMBRA ( __ZIMBRA_00 + __ZIMBRA_01 + __ZIMBRA_02 + __ZIMBRA_03 > 2 ) && __NOT_FROM_INTERNAL
I read it in this way: IF at least THREE rules among __ZIMBRA_00, 01, 02 or 03 are matched AND rule __NOT_FROM_INTERNAL is matched then meta PHISH_ZIMBRA is matched and points should be calculated. It happens that in the -D logs I get: dbg: rules: ran body rule __ZIMBRA_01 ======> got hit: "aggiornato" then dbg: check: subtests= (omissis)__NOT_FROM_INTERNAL,__ZIMBRA_01,__ZIMBRA_02,__ZIMBRA_03 Please note how ZIMBRA_02 and ZIMBRA_03 are listed is subtests list but not listed if the matched rules... How can this happen? How can I debug this? If I remove the matched word from __ZIMBRA_01, the 02 and 03 are still matched but not logged.... Thanks
