On 2011-11-25 21:36, Sergio wrote:
@Axb,
just curious.. what are you trying to achieve by running these domains
through ALL headers?
catch senders? received headers?
there headers that comes with the following:
Received: from [66.85.187.123] *(helo=vpn123.layeredvpnzervices.com)*
by izabal.espacioydominio.com with esmtp (Exim 4.69)
(envelope-from<accountingeducation.yjuee*@nwwrej.afraidageshare.net*>)
id 1RTzVK-0000Jp-IR
for chard...@secmas.net; Fri, 25 Nov 2011 11:24:02 -0600
From: accounting education<
accountingeducation.yj...@nwwrej.afraidageshare.net>
Received: from [66.85.158.200] (*helo=search200.complementhold.com*)
by izabal.espacioydominio.com with esmtp (Exim 4.69)
(envelope-from<nursingschool.ncqq...@aifnqk.laughsidecant.net>)
id 1RTzPA-0007TD-CR
for chard...@secmas.net; Fri, 25 Nov 2011 11:17:40 -0600
From: nursing school<*nursingschool.ncqq...@aifnqk.laughsidecant.net*>
Just to mention two examples, well, the point is that in a lot of spam
emails the HELO is the same for a lot of different email addresses, so, I
am trying to block that.
Is there a better way than checking all the header?
look at it this way.. the less a rule has to do the faster it is and
less prone to error/FPs
If you check ALL headers, SA will go thru long DKIM headers for a
pattern which will not show up in DKIM header, it will look in X
headers, From, To, etc,etc.. big waste of time and CPU cycles when all
you want to check is Received:
try with:
header BLAH Received =~/\blayeredvpnzervices\.com\b/
