Unfortunately, it seems that MCP doesn't like the rule: header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i header __FROM_DHL From =~ /\bdhl(?:[-_][^ .]+)?\.com/i header __ENV_FROM_UPS Received =~ /envelope-from [^ @]+@ups\.com/i
header __FROM_UPS From =~ /\bups\.com/i meta DHL_UPS_MISMATCH (__ENV_FROM_DHL && __FROM_UPS) || (__ENV_FROM_UPS && __FROM_DHL) describe DHL_UPS_MISMATCH virus DHL-USA or UPS score DHL_UPS_MISMATCH 11 When I wrote this to the MPC rules file, none of my other rules work. Regards, Sergio On Mon, Nov 21, 2011 at 10:55 AM, Bowie Bailey <bowie_bai...@buc.com> wrote: > On 11/21/2011 11:35 AM, John Hardin wrote: > > On Mon, 21 Nov 2011, Bowie Bailey wrote: > > > >> On 11/20/2011 10:02 PM, Sergio wrote: > >>> header __ENV_FROM_DHL Received =~ /envelope-from [^ @]+@dhl[^ > >>> .]+\.com/i > >>> header __FROM_DHL From =~ /\bdhl[^ .]+\.com/i > >> These will match any domain that starts with "dh" and ends with ".com". > > You overlooked the "l". > > Hmm... Guess I did... > > > > >> For example, they will match "someu...@dhalailama.com". Is this > >> expected? > > It won't. > > > >> If you just want to match a single character, then get rid of > >> the +. > > It's to match "-usa" or other dhl domain name variants. The line wrap in > > email makes that look like a single character RE. The actual RE I > > suggested is: > > > > /envelope-from [^ @]+@dhl[^ .]+\.com/i > > The line wrap wasn't an issue. I just didn't see the "l". And with > this font, I think I see why I didn't see it the first time. It blends > in with the square bracket. > > > It also won't match "dhl.com". My bad. As I said, it was off the top of > my > > head. > > > > These might be better: > > > > /envelope-from [^ @]+@dhl(?:[-_][^ .]+)?\.com/i > > > > /\bdhl(?:[-_][^ .]+)?\.com/i > > Do the "@" characters need to be escaped? In a normal Perl RE they > would, but I'm not sure if SA is treating them any differently since it > is reading them in from a config file. > > -- > Bowie >