I finally make my MCP rule like this: header __VIRUS_DHL1 FROM =~ /dhl-usa.com/i header __VIRUS_DHL2 ALL =~ /CommuniGate Pro SMTP 5.2.3/i meta VIRUS_DHLTOTAL (__VIRUS_DHL1 && __VIRUS_DHL2) describe VIRUS_DHLTOTAL Correo con virus de DHL-USA score VIRUS_DHLTOTAL 11
One more option that I will like to add, for this rule to check is for attachments, where do I look for the attachment file, it is in the body? Once again, thank you. Sergio On Sat, Nov 19, 2011 at 10:45 AM, Sergio <sec...@gmail.com> wrote: > RW, > Now I understand why it gave a 1 point when I declared 11 on the score, > lol. > > I was trying to follow the spamassassin tutorial and saw the example, it > shows the two underscore but never said that they are kind of mandatory, > thanks a lot for pointing this out. > > John Harding, > this is one header of the emails that I received: > > ******************************* > Received: from 90.red-217-126-251.staticip.rima-tde.net ([217.126.251.90]) > by MY-SERVER with smtp (Exim 4.69) > (envelope-from <plaintiveo...@dhl-usa.com>) > id 1RQNQZ-0002Q1-QD > for my-u...@domain.com; Tue, 15 Nov 2011 12:08:15 -0600 > Received: from [116.54.126.71] (helo=mflmo.gquvpofbkojyxb.ua) > by 90.Red-217-126-251.staticIP.rima-tde.net with esmtpa (Exim 4.69) > (envelope-from ) > id 1MMQJ8-3051eb-TY > for <my-u...@domain.com>; Tue, 15 Nov 2011 19:08:13 +0100 > Message-ID: <1232210117.3q65wy5i448...@azbvbczcdgxeoq.mqfphqgytobofv.com> > From: UPS Support <auto-not...@ups.com> > To: <pa...@macred.com> > Subject: UPS Delivery Notification, Tracking Number B2HVYOSTJB101NXOM5 > Date: Tue, 15 Nov 2011 19:08:13 +0100 > MIME-Version: 1.0 > Content-Type: multipart/mixed; > boundary="----=_NextPart_000_0006_01CCA3C9.EBFEF390" > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 5.00.2919.6600 > X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 > ******************************* > > Thanks a lot for your kind answers. > > Best Regards, > > Sergio Cabrera > > > On Sat, Nov 19, 2011 at 8:18 AM, RW <rwmailli...@googlemail.com> wrote: > >> On Sat, 19 Nov 2011 05:42:43 -0600 >> Sergio wrote: >> >> >> >> > header VIRUS_DHL2 ALL =~ /text inside the email to check for/i >> >> This looks for the text in all of the headers. If you meant to look in >> the body, then you want: >> >> body VIRUS_DHL2 /text inside the email to check for/i >> >> You should also consider naming the sub-rules with two leading >> underscore (like __VIRUS_DHL2), or explicitly score them, to prevent >> then having a one point default score. >> > >