jdow said: > snip >>>Yup, it sure does, but that's OK. The intent was to detect email messages >>>where: >>> >>>1) From matches /\bebay\b/i >>>2) From DOES NOT MATCH /[EMAIL PROTECTED]/i >>> >>>The fact that "@ebay." matches /bebay\b/ is irrelevant.
> Let's see if I can amplify the intent. > > The particular spam had a header line that looked like: > From: "eBay" <[EMAIL PROTECTED]> > > This did not trigger any existing "ebay.com" spoof rules for the simple > reason that "ebay.com" does not appear. > This might be a simple way to limit where it looks.. header __TESTSAMPLE From:name =~ /\bebay\b/i header __TESTSAMPLE2 From:addr !~ /\bebay\b/i meta EBAYSPOOF __TESTSAMPLE && __TESTSAMPLE2 Well something along those lines anyway. Cheers, matt