Kai Schaetzl writes: > Dan Barker wrote on Mon, 20 Aug 2007 09:05:44 -0400: > > > a) Investigate the possibility of FP's due to this change. It "looks" OK to > > me, but I don't have a large corpus of non-bounce delivery status > > notifications against which to test (er, ah, I have none<g>) > > As this rule *wants* to match non-malware bounces it would be hard to define > an FP in this case. ;-) > Actually, I think you could make it much more generic without creating FPs. > > /Delivery Status Notification/ > /Delivery Failure Notification/ > > -> > > /Delivery.*Notification/ > > should be ok to use. There is a slight chance it matches a "Delivery > Notification" that comes from UPS or a cargo carrier, in case they send out > something like this, but at least I haven't yet seen any.
actually, it's better to keep these Subject rules as *non*-generic as possible -- as you note, "notifications" about "deliveries" are not rare, and FPs are best avoided. I'd even suggest: /^Delivery Status Notification/ /^Delivery Failure Notification/ --j.