On Fri, 22 Nov 2019 00:00:53 +0000 Martin Gregorie wrote:
> describe SPOOFED_MAYOR Check for spoofed mail from the Mayor > header __SM1 From:name =~ /^John M Mayor$/ > header __SM2 From:addr =~ /^john\@cityhall\.com$/ > meta SPOOFED_MAYOR (__SM1 && ! __SM2) || ! _SM1 > score SPOOFED_MAYOR 5.0 > .. > The final " || ! __SM1" meta term is only needed if > you want to ensure that the name part must also be an exact match, > i.e. you assume that the user will notice that the sender name isn't > quite right, but a careful rule writer would not rely on that, hence > its inclusion. I don't understand what you were aiming for here, but '|| ! _SM1' means that the rule will hit *anything* that doesn't match __SM1, which is almost everything. __SM1 is too prescriptive, even "John M. Mayor" wont match.